diff --git a/nova/policies/hypervisors.py b/nova/policies/hypervisors.py index 695d3c4ca098..2090642f8395 100644 --- a/nova/policies/hypervisors.py +++ b/nova/policies/hypervisors.py @@ -23,9 +23,9 @@ BASE_POLICY_NAME = 'os_compute_api:os-hypervisors' hypervisors_policies = [ policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - """Policy rule for hypervisor related APIs. + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API, + description="""Policy rule for hypervisor related APIs. This rule will be checked for the following APIs: @@ -35,7 +35,7 @@ show details for a hypervisor, show the uptime of a hypervisor, search hypervisor by hypervisor_hostname pattern and list all servers on hypervisors that can match the provided hypervisor_hostname pattern.""", - [ + operations=[ { 'path': '/os-hypervisors', 'method': 'GET' @@ -65,7 +65,8 @@ hypervisor_hostname pattern.""", '/os-hypervisors/{hypervisor_hostname_pattern}/servers', 'method': 'GET' } - ] + ], + scope_types=['system'] ), ] diff --git a/nova/tests/unit/policies/test_hypervisors.py b/nova/tests/unit/policies/test_hypervisors.py index 5a4afd7db7c1..f512cb445f0d 100644 --- a/nova/tests/unit/policies/test_hypervisors.py +++ b/nova/tests/unit/policies/test_hypervisors.py @@ -114,3 +114,17 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest): def setUp(self): super(HypervisorsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to perform operations + # on hypervisors. + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that non-system-admin is not able to perform operations + # on hypervisors. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.system_member_context, + self.system_reader_context, self.project_admin_context, + self.system_foo_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ]