Merge "Fix server operations' policies to admin only"

This commit is contained in:
Jenkins 2016-08-11 06:07:52 +00:00 committed by Gerrit Code Review
commit 19010d6212
2 changed files with 6 additions and 4 deletions

View File

@ -22,14 +22,15 @@ SERVERS = 'os_compute_api:servers:%s'
rules = [
policy.RuleDefault(SERVERS % 'index', RULE_AOO),
policy.RuleDefault(SERVERS % 'detail', RULE_AOO),
policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO),
policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO),
policy.RuleDefault(SERVERS % 'detail:get_all_tenants',
base.RULE_ADMIN_API),
policy.RuleDefault(SERVERS % 'index:get_all_tenants', base.RULE_ADMIN_API),
policy.RuleDefault(SERVERS % 'show', RULE_AOO),
# the details in host_status are pretty sensitive, only admins
# should do that by default.
policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API),
policy.RuleDefault(SERVERS % 'create', RULE_AOO),
policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO),
policy.RuleDefault(SERVERS % 'create:forced_host', base.RULE_ADMIN_API),
policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO),
policy.RuleDefault(SERVERS % 'create:attach_network', RULE_AOO),
policy.RuleDefault(SERVERS % 'delete', RULE_AOO),

View File

@ -495,7 +495,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
def test_admin_only_rules(self):
for rule in self.admin_only_rules:
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
self.non_admin_context, rule, self.target)
self.non_admin_context, rule,
{'project_id': 'fake', 'user_id': 'fake'})
policy.authorize(self.admin_context, rule, self.target)
def test_non_admin_only_rules(self):