Merge "Introduce scope_types in os-flavor-access"

nova/policies/flavor_access.py

@@ -25,39 +25,48 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
 
 flavor_access_policies = [
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'add_tenant_access',
-        base.RULE_ADMIN_API,
-        "Add flavor access to a tenant",
-        [
+        name=POLICY_ROOT % 'add_tenant_access',
+        check_str=base.RULE_ADMIN_API,
+        description="Add flavor access to a tenant",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/flavors/{flavor_id}/action (addTenantAccess)'
             }
-        ]),
+        ],
+        scope_types=['system']),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'remove_tenant_access',
-        base.RULE_ADMIN_API,
-        "Remove flavor access from a tenant",
-        [
+        name=POLICY_ROOT % 'remove_tenant_access',
+        check_str=base.RULE_ADMIN_API,
+        description="Remove flavor access from a tenant",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/flavors/{flavor_id}/action (removeTenantAccess)'
             }
-        ]),
+        ],
+        scope_types=['system']),
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_OR_OWNER,
-        """List flavor access information
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="""List flavor access information
 
 Allows access to the full list of tenants that have access
 to a flavor via an os-flavor-access API.
 """,
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/flavors/{flavor_id}/os-flavor-access'
             },
-        ]),
+        ],
+        # NOTE(gmann): This policy is admin_or_owner by default but allowed
+        # for everyone, bug#1867840. There can be multiple project with access
+        # to specific flavorso we cannot say there is single owner of flavor.
+        # Only admin should be able to list the projects having access to any
+        # flavor. We should change this policy defaults to admin only. I am
+        # seeting scope as 'system' only and new defaults can be SYSTEM_ADMIN.
+        scope_types=['system']),
 ]
 
 

nova/tests/unit/policies/test_flavor_access.py

@@ -117,3 +117,30 @@ class FlavorAccessScopeTypePolicyTest(FlavorAccessPolicyTest):
     def setUp(self):
         super(FlavorAccessScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to add/remove flavor access
+        # to a tenant.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system-admin is not able to add/remove flavor access
+        # to a tenant.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]
+
+        # Check that system user is able to list flavor access
+        # information.
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context]
+        # Check that non-system is not able to list flavor access
+        # information.
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.other_project_member_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context]