Browse Source

Merge "Introduce scope_types in os-hypervisors"

tags/21.0.0.0rc1
Zuul 3 months ago
committed by Gerrit Code Review
parent
commit
34540068d7
2 changed files with 20 additions and 5 deletions
  1. +6
    -5
      nova/policies/hypervisors.py
  2. +14
    -0
      nova/tests/unit/policies/test_hypervisors.py

+ 6
- 5
nova/policies/hypervisors.py View File

@@ -23,9 +23,9 @@ BASE_POLICY_NAME = 'os_compute_api:os-hypervisors'

hypervisors_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Policy rule for hypervisor related APIs.
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API,
description="""Policy rule for hypervisor related APIs.

This rule will be checked for the following APIs:

@@ -35,7 +35,7 @@ show details for a hypervisor, show the uptime of a hypervisor,
search hypervisor by hypervisor_hostname pattern and list all
servers on hypervisors that can match the provided
hypervisor_hostname pattern.""",
[
operations=[
{
'path': '/os-hypervisors',
'method': 'GET'
@@ -65,7 +65,8 @@ hypervisor_hostname pattern.""",
'/os-hypervisors/{hypervisor_hostname_pattern}/servers',
'method': 'GET'
}
]
],
scope_types=['system']
),
]



+ 14
- 0
nova/tests/unit/policies/test_hypervisors.py View File

@@ -114,3 +114,17 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
def setUp(self):
super(HypervisorsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")

# Check that system admin is able to perform operations
# on hypervisors.
self.admin_authorized_contexts = [
self.system_admin_context]
# Check that non-system-admin is not able to perform operations
# on hypervisors.
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.project_admin_context,
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context
]

Loading…
Cancel
Save