Introduce scope_types in os-services
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html There are two type of scope: 1. 'system': policy with 'system' scope means user with 'system-scoped' token have permission to access otherwise not. This scope type can be applied to API policies which need access permission at system level. 2. 'project': policy with 'project' scope means user with 'project-scoped' token have permission to access. This scope type can be applied to API policies which need access permission at project level. Any policy need permission for both scope 'system' and 'project' can be added with both scope, for example: scope_type['system', 'project'] This commit introduce scope_type for os-services API policies. All the os-service policy are scopped as 'system' because nova services operation should not be given access to project scopped token. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Ia6ad47e4e411c8c6f50c98807ee97f99297d97b8
This commit is contained in:
parent
68f195928e
commit
0012785501
|
@ -59,7 +59,8 @@ services_policies = [
|
|||
'method': 'DELETE',
|
||||
'path': '/os-services/{service_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -97,3 +97,15 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest):
|
|||
def setUp(self):
|
||||
super(ServicesScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
# Check that system admin is able to change the service
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context]
|
||||
# Check that non-system or non-admin is not able to change the service
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue