Merge "Add new default roles in server metadata policies"

2020-04-08 19:32:41 +00:00 · 2020-04-08 19:32:41 +00:00 · 0d1619ae0a
commit 0d1619ae0a
parent 57e9bfd0b0 59d5b0bcc5
2 changed files with 64 additions and 12 deletions
--- a/nova/policies/server_metadata.py
+++ b/nova/policies/server_metadata.py
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s'
 server_metadata_policies = [
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'index',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
        description="List all metadata of a server",
        operations=[
            {
@ -36,7 +36,7 @@ server_metadata_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'show',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
        description="Show metadata for a server",
        operations=[
            {
@ -48,7 +48,7 @@ server_metadata_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'create',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Create metadata for a server",
        operations=[
            {
@ -60,7 +60,7 @@ server_metadata_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'update_all',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Replace metadata for a server",
        operations=[
            {
@ -72,7 +72,7 @@ server_metadata_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'update',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Update metadata from a server",
        operations=[
            {
@ -84,7 +84,7 @@ server_metadata_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'delete',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Delete metadata from a server",
        operations=[
            {
--- a/nova/tests/unit/policies/test_server_metadata.py
+++ b/nova/tests/unit/policies/test_server_metadata.py
@ -50,15 +50,28 @@ class ServerMetadataPolicyTest(base.BasePolicyTest):
        # the server metadata
        self.admin_or_owner_unauthorized_contexts = [
            self.system_member_context, self.system_reader_context,
-            self.system_foo_context,
-            self.other_project_member_context
+            self.system_foo_context, self.other_project_member_context,
+            self.other_project_reader_context
+        ]
+        # Check that admin or and server owner is able to get
+        # the server metadata.
+        self.reader_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context]
+        # Check that non-admin/owner is not able to get
+        # the server metadata.
+        self.reader_unauthorized_contexts = [
+            self.system_foo_context, self.other_project_member_context,
+            self.other_project_reader_context
        ]

    @mock.patch('nova.compute.api.API.get_instance_metadata')
    def test_index_server_Metadata_policy(self, mock_get):
        rule_name = policies.POLICY_ROOT % 'index'
-        self.common_policy_check(self.admin_or_owner_authorized_contexts,
-                                 self.admin_or_owner_unauthorized_contexts,
+        self.common_policy_check(self.reader_authorized_contexts,
+                                 self.reader_unauthorized_contexts,
                                 rule_name,
                                 self.controller.index,
                                 self.req, self.instance.uuid)
@ -67,8 +80,8 @@ class ServerMetadataPolicyTest(base.BasePolicyTest):
    def test_show_server_Metadata_policy(self, mock_get):
        rule_name = policies.POLICY_ROOT % 'show'
        mock_get.return_value = {'key9': 'value'}
-        self.common_policy_check(self.admin_or_owner_authorized_contexts,
-                                 self.admin_or_owner_unauthorized_contexts,
+        self.common_policy_check(self.reader_authorized_contexts,
+                                 self.reader_unauthorized_contexts,
                                 rule_name,
                                 self.controller.show,
                                 self.req, self.instance.uuid, 'key9')
@ -128,3 +141,42 @@ class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
    def setUp(self):
        super(ServerMetadataScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class ServerMetadataNoLegacyPolicyTest(ServerMetadataScopeTypePolicyTest):
+    """Test Server Metadata APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ServerMetadataNoLegacyPolicyTest, self).setUp()
+        # Check that system admin or project member is able to create, update
+        # and delete the server metadata.
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context, self.project_admin_context,
+            self.project_member_context]
+        # Check that non-system/admin/member is not able to create, update
+        # and delete the server metadata.
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_reader_context,
+            self.system_foo_context, self.system_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context,
+            self.other_project_reader_context
+        ]
+        # Check that system admin or project member is able to
+        # get the server metadata.
+        self.reader_authorized_contexts = [
+            self.system_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context]
+        # Check that non-system/admin/member is not able to
+        # get the server metadata.
+        self.reader_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_foo_context,
+            self.project_foo_context, self.other_project_member_context,
+            self.other_project_reader_context
+        ]