Introduce scope_types in os-services

oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html There are two type of scope: 1. 'system': policy with 'system' scope means user with 'system-scoped' token have permission to access otherwise not. This scope type can be applied to API policies which need access permission at system level. 2. 'project': policy with 'project' scope means user with 'project-scoped' token have permission to access. This scope type can be applied to API policies which need access permission at project level. Any policy need permission for both scope 'system' and 'project' can be added with both scope, for example: scope_type['system', 'project'] This commit introduce scope_type for os-services API policies. All the os-service policy are scopped as 'system' because nova services operation should not be given access to project scopped token. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Ia6ad47e4e411c8c6f50c98807ee97f99297d97b8
2019-11-25 17:44:15 +00:00 · 2019-11-25 17:44:15 +00:00 · 0012785501
parent 68f195928e
commit 0012785501
2 changed files with 14 additions and 1 deletions
--- a/nova/policies/services.py
+++ b/nova/policies/services.py
@ -59,7 +59,8 @@ services_policies = [
                'method': 'DELETE',
                'path': '/os-services/{service_id}'
            }
-        ]),
+        ],
+        scope_types=['system']),
 ]


--- a/nova/tests/unit/policies/test_services.py
+++ b/nova/tests/unit/policies/test_services.py
@ -97,3 +97,15 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest):
    def setUp(self):
        super(ServicesScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to change the service
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to change the service
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]