Introduce scope_types in server topology

oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for server topology API policies as: - 'system' and 'project' for get server topology - 'system' for get server topology with host info. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: I69e3c7f6073e8fd6d98aa7a3c7d65f3e2ea0dd86
2020-04-05 04:04:49 -05:00 · 2020-04-05 04:04:49 -05:00 · 26a02a7a98
commit 26a02a7a98
parent 8d2ad62dc1
2 changed files with 27 additions and 11 deletions
--- a/nova/policies/server_topology.py
+++ b/nova/policies/server_topology.py
@ -20,27 +20,29 @@ BASE_POLICY_NAME = 'compute:server:topology:%s'

 server_topology_policies = [
    policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME % 'index',
-        base.RULE_ADMIN_OR_OWNER,
-        "Show the NUMA topology data for a server",
-        [
+        name=BASE_POLICY_NAME % 'index',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Show the NUMA topology data for a server",
+        operations=[
            {
                'method': 'GET',
                'path': '/servers/{server_id}/topology'
            }
-        ]),
+        ],
+        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        # Control host NUMA node and cpu pinning information
-        BASE_POLICY_NAME % 'host:index',
-        base.RULE_ADMIN_API,
-        "Show the NUMA topology data for a server with host NUMA ID and CPU "
-        "pinning information",
-        [
+        name=BASE_POLICY_NAME % 'host:index',
+        check_str=base.RULE_ADMIN_API,
+        description="Show the NUMA topology data for a server with host"
+        "NUMA ID and CPU pinning information",
+        operations=[
            {
                'method': 'GET',
                'path': '/servers/{server_id}/topology'
            }
-        ]),
+        ],
+        scope_types=['system']),
 ]


--- a/nova/tests/unit/policies/test_server_topology.py
+++ b/nova/tests/unit/policies/test_server_topology.py
@ -117,3 +117,17 @@ class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
    def setUp(self):
        super(ServerTopologyScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to get the server topology
+        # host information.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system/admin is not able to get the server topology
+        # host information.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]