Fix server operations' policies to admin only
Before the following policies were set to admin only operations by default. * detail:get_all_tenants * index:get_all_tenants * create:forced_host But currently they are not limited to admin users by default. They were changed unintentionally in I71b3d1233255125cb280a000b990329f5b03fdfd. So set them admin only again. And a unit test for policy is fixed. Change-Id: I1c0a4f1ff19d68152953dd6b265a7fb2e0f6271a Closes-Bug: #1609625 Closes-Bug: #1609691 Closes-Bug: #1611628
This commit is contained in:
parent
3d6e72689e
commit
16a38564cb
@ -22,14 +22,15 @@ SERVERS = 'os_compute_api:servers:%s'
|
|||||||
rules = [
|
rules = [
|
||||||
policy.RuleDefault(SERVERS % 'index', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'index', RULE_AOO),
|
||||||
policy.RuleDefault(SERVERS % 'detail', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'detail', RULE_AOO),
|
||||||
policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'detail:get_all_tenants',
|
||||||
policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO),
|
base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(SERVERS % 'index:get_all_tenants', base.RULE_ADMIN_API),
|
||||||
policy.RuleDefault(SERVERS % 'show', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'show', RULE_AOO),
|
||||||
# the details in host_status are pretty sensitive, only admins
|
# the details in host_status are pretty sensitive, only admins
|
||||||
# should do that by default.
|
# should do that by default.
|
||||||
policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API),
|
policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API),
|
||||||
policy.RuleDefault(SERVERS % 'create', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'create', RULE_AOO),
|
||||||
policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'create:forced_host', base.RULE_ADMIN_API),
|
||||||
policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO),
|
||||||
policy.RuleDefault(SERVERS % 'create:attach_network', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'create:attach_network', RULE_AOO),
|
||||||
policy.RuleDefault(SERVERS % 'delete', RULE_AOO),
|
policy.RuleDefault(SERVERS % 'delete', RULE_AOO),
|
||||||
|
@ -493,7 +493,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||||||
def test_admin_only_rules(self):
|
def test_admin_only_rules(self):
|
||||||
for rule in self.admin_only_rules:
|
for rule in self.admin_only_rules:
|
||||||
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
|
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
|
||||||
self.non_admin_context, rule, self.target)
|
self.non_admin_context, rule,
|
||||||
|
{'project_id': 'fake', 'user_id': 'fake'})
|
||||||
policy.authorize(self.admin_context, rule, self.target)
|
policy.authorize(self.admin_context, rule, self.target)
|
||||||
|
|
||||||
def test_non_admin_only_rules(self):
|
def test_non_admin_only_rules(self):
|
||||||
|
Loading…
x
Reference in New Issue
Block a user