Move policy enforcement into REST API layer for v2.1 ips
This patch moves the policy enforcement into REST API layer for v2.1 ips extension and adds related unittest. And because ips extension haven't policy rules before, this patch adds policy rules for it. Partially implements bp v3-api-policy DocImpact Change-Id: I9cf45390af6f60ef420b33b3037f618f67276e88
This commit is contained in:
parent
fa5dc30133
commit
03134f2378
@ -200,6 +200,8 @@
|
||||
"compute_extension:v3:os-instance-usage-audit-log": "rule:admin_api",
|
||||
"compute_extension:v3:os-instance-usage-audit-log:discoverable": "",
|
||||
"compute_extension:v3:ips:discoverable": "",
|
||||
"compute_extension:v3:ips:index": "rule:admin_or_owner",
|
||||
"compute_extension:v3:ips:show": "rule:admin_or_owner",
|
||||
"compute_extension:keypairs": "",
|
||||
"compute_extension:keypairs:index": "",
|
||||
"compute_extension:keypairs:show": "",
|
||||
|
@ -23,6 +23,7 @@ from nova.api.openstack import wsgi
|
||||
from nova.i18n import _
|
||||
|
||||
ALIAS = 'ips'
|
||||
authorize = extensions.os_compute_authorizer(ALIAS)
|
||||
|
||||
|
||||
class IPsController(wsgi.Controller):
|
||||
@ -32,11 +33,12 @@ class IPsController(wsgi.Controller):
|
||||
|
||||
def __init__(self, **kwargs):
|
||||
super(IPsController, self).__init__(**kwargs)
|
||||
self._compute_api = nova.compute.API()
|
||||
self._compute_api = nova.compute.API(skip_policy_check=True)
|
||||
|
||||
@extensions.expected_errors(404)
|
||||
def index(self, req, server_id):
|
||||
context = req.environ["nova.context"]
|
||||
authorize(context, action='index')
|
||||
instance = common.get_instance(self._compute_api, context, server_id)
|
||||
networks = common.get_networks_for_instance(context, instance)
|
||||
return self._view_builder.index(networks)
|
||||
@ -44,6 +46,7 @@ class IPsController(wsgi.Controller):
|
||||
@extensions.expected_errors(404)
|
||||
def show(self, req, server_id, id):
|
||||
context = req.environ["nova.context"]
|
||||
authorize(context, action='show')
|
||||
instance = common.get_instance(self._compute_api, context, server_id)
|
||||
networks = common.get_networks_for_instance(context, instance)
|
||||
if id not in networks:
|
||||
|
@ -3413,3 +3413,34 @@ class TestServersExtensionSchema(test.NoDBTestCase):
|
||||
|
||||
actual_schema = self._test_load_extension_schema('resize')
|
||||
self.assertEqual(expected_schema, actual_schema)
|
||||
|
||||
|
||||
# TODO(alex_xu): There isn't specified file for ips extension. Most of
|
||||
# unittest related to ips extension is in this file. So put the ips policy
|
||||
# enforcement tests at here until there is specified file for ips extension.
|
||||
class IPsPolicyEnforcementV21(test.NoDBTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(IPsPolicyEnforcementV21, self).setUp()
|
||||
self.controller = ips.IPsController()
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_index_policy_failed(self):
|
||||
rule_name = "compute_extension:v3:ips:index"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.index, self.req, fakes.FAKE_UUID)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_show_policy_failed(self):
|
||||
rule_name = "compute_extension:v3:ips:show"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.show, self.req, fakes.FAKE_UUID, fakes.FAKE_UUID)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
@ -179,6 +179,8 @@ policy_data = """
|
||||
"compute_extension:extended_ips_mac": "",
|
||||
"compute_extension:extended_vif_net": "",
|
||||
"compute_extension:extended_volumes": "",
|
||||
"compute_extension:v3:ips:index": "",
|
||||
"compute_extension:v3:ips:show": "",
|
||||
"compute_extension:v3:os-extended-volumes": "",
|
||||
"compute_extension:v3:os-extended-volumes:swap": "",
|
||||
"compute_extension:v3:os-extended-volumes:attach": "",
|
||||
|
Loading…
Reference in New Issue
Block a user