Few todo fixes for API new policies
1. Add testing context 'self.other_project_reader_context' for remaining tests. 2. Replace REQUESTED_DESTINATION policy check_str with 'PROJECT_ADMIN' so that it will easy to remove the deprecated RULE_ADMIN_API rule. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: Ibf88029af32376788134427be99d219784f8e333
This commit is contained in:
Ghanshyam Mann
parent
583672c03c
commit
521ea08467
|
|
@ -16,7 +16,6 @@ from oslo_policy import policy
|
|||
from nova.policies import base
|
||||
|
||||
|
||||
RULE_AOO = base.RULE_ADMIN_OR_OWNER
|
||||
SERVERS = 'os_compute_api:servers:%s'
|
||||
NETWORK_ATTACH_EXTERNAL = 'network:attach_external_network'
|
||||
ZERO_DISK_FLAVOR = SERVERS % 'create:zero_disk_flavor'
|
||||
|
|
@ -204,7 +203,18 @@ host and/or node by bypassing the scheduler filters unlike the
|
|||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=REQUESTED_DESTINATION,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
# TODO(gmann): We need to make it SYSTEM_ADMIN.
|
||||
# PROJECT_ADMIN is added for now because create server
|
||||
# policy is project scoped and there is no way to
|
||||
# pass the project_id in request body for system scoped
|
||||
# roles so that create server for other project with requested
|
||||
# destination.
|
||||
# To achieve that, we need to update the create server API to
|
||||
# accept the project_id for whom the server needs to be created
|
||||
# and then change the scope of this policy to system-only
|
||||
# Because that is API change it needs to be done with new
|
||||
# microversion.
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
description="""
|
||||
Create a server on the requested compute service host and/or
|
||||
hypervisor_hostname.
|
||||
|
|
|
|||
|
|
@ -7041,21 +7041,6 @@ class ServersControllerCreateTestV274(ServersControllerCreateTest):
|
|||
self.req, body=self.body)
|
||||
self.assertIn("mutually exclusive", six.text_type(ex))
|
||||
|
||||
def test_create_instance_invalid_policy(self):
|
||||
self._generate_req(host='host', node='node')
|
||||
# non-admin
|
||||
self.req.environ['nova.context'] = fakes.FakeRequestContext(
|
||||
user_id='fake_user',
|
||||
project_id=fakes.FAKE_PROJECT_ID,
|
||||
is_admin=False)
|
||||
|
||||
ex = self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.controller.create,
|
||||
self.req, body=self.body)
|
||||
self.assertIn("Policy doesn't allow compute:servers:create:"
|
||||
"requested_destination to be performed.",
|
||||
six.text_type(ex))
|
||||
|
||||
def test_create_instance_private_flavor(self):
|
||||
# Here we use admin context, so if we do not pass it or
|
||||
# we do not anything, the test case will be failed.
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@ from nova.objects import block_device as block_device_obj
|
|||
from nova.objects import fields as obj_fields
|
||||
from nova.objects import instance as instance_obj
|
||||
from nova.objects import migrate_data as migrate_data_obj
|
||||
from nova.policies import base as base_policy
|
||||
from nova.policies import servers as servers_policy
|
||||
from nova import test
|
||||
from nova.tests import fixtures
|
||||
|
|
@ -13330,7 +13331,7 @@ class CheckRequestedImageTestCase(test.TestCase):
|
|||
|
||||
def test_root_gb_zero_disables_size_check(self):
|
||||
self.policy.set_rules({
|
||||
servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
|
||||
servers_policy.ZERO_DISK_FLAVOR: base_policy.RULE_ADMIN_OR_OWNER
|
||||
}, overwrite=False)
|
||||
self.instance_type['root_gb'] = 0
|
||||
image = dict(id=uuids.image_id, status='active', size='1073741825')
|
||||
|
|
@ -13340,7 +13341,7 @@ class CheckRequestedImageTestCase(test.TestCase):
|
|||
|
||||
def test_root_gb_zero_disables_min_disk(self):
|
||||
self.policy.set_rules({
|
||||
servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
|
||||
servers_policy.ZERO_DISK_FLAVOR: base_policy.RULE_ADMIN_OR_OWNER
|
||||
}, overwrite=False)
|
||||
self.instance_type['root_gb'] = 0
|
||||
image = dict(id=uuids.image_id, status='active', min_disk='2')
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ policy_data = """
|
|||
"os_compute_api:servers:create:attach_volume": "",
|
||||
"os_compute_api:servers:create:attach_network": "",
|
||||
"os_compute_api:servers:create:forced_host": "",
|
||||
"compute:servers:create:requested_destination": "",
|
||||
"os_compute_api:servers:create:trusted_certs": "",
|
||||
"os_compute_api:servers:create_image": "",
|
||||
"os_compute_api:servers:create_image:allow_volume_backed": "",
|
||||
|
|
|
|||
|
|
@ -132,14 +132,9 @@ class BasePolicyTest(test.TestCase):
|
|||
authorized_response = []
|
||||
unauthorize_response = []
|
||||
|
||||
# TODO(gmann): we need to add the new context
|
||||
# self.other_project_reader_context in all tests and then remove
|
||||
# this conditional adjusment.
|
||||
test_context = authorized_contexts + unauthorized_contexts
|
||||
test_context_len = len(test_context)
|
||||
if self.other_project_reader_context not in test_context:
|
||||
test_context_len += 1
|
||||
self.assertEqual(len(self.all_contexts), test_context_len,
|
||||
self.assertEqual(len(self.all_contexts),
|
||||
len(authorized_contexts) + len(
|
||||
unauthorized_contexts),
|
||||
"Expected testing context are mismatch. check all "
|
||||
"contexts mentioned in self.all_contexts are tested")
|
||||
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ class AdminActionsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -118,5 +119,6 @@ class AdminActionsNoLegacyPolicyTest(AdminActionsScopeTypePolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
|
|||
|
|
@ -56,7 +56,8 @@ class AdminPasswordPolicyTest(base.BasePolicyTest):
|
|||
self.admin_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.set_admin_password')
|
||||
|
|
@ -130,4 +131,6 @@ class AdminPasswordNoLegacyPolicyTest(AdminPasswordPolicyTest):
|
|||
self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ class AgentsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -63,7 +64,8 @@ class AgentsPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context, self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.db.api.agent_build_destroy')
|
||||
def test_delete_agent_policy(self, mock_delete):
|
||||
|
|
@ -142,7 +144,8 @@ class AgentsScopeTypePolicyTest(AgentsPolicyTest):
|
|||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that system admin, member and reader are able to read the
|
||||
|
|
@ -156,7 +159,8 @@ class AgentsScopeTypePolicyTest(AgentsPolicyTest):
|
|||
self.system_foo_context, self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ class AggregatesPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -52,6 +53,7 @@ class AggregatesPolicyTest(base.BasePolicyTest):
|
|||
self.system_reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -172,6 +174,7 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
# Check that system reader is able to get Aggregate
|
||||
|
|
@ -183,5 +186,6 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ class AssistedVolumeSnapshotPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -94,5 +95,6 @@ class AssistedSnapshotScopeTypePolicyTest(AssistedVolumeSnapshotPolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
|
|||
|
|
@ -56,7 +56,8 @@ class AttachInterfacesPolicyTest(base.BasePolicyTest):
|
|||
self.admin_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
self.reader_authorized_contexts = [
|
||||
|
|
@ -68,7 +69,8 @@ class AttachInterfacesPolicyTest(base.BasePolicyTest):
|
|||
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.get')
|
||||
|
|
@ -222,7 +224,9 @@ class AttachInterfacesNoLegacyPolicyTest(AttachInterfacesPolicyTest):
|
|||
self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that system reader or projct is able to
|
||||
# create or delete interfaces.
|
||||
|
|
@ -230,12 +234,13 @@ class AttachInterfacesNoLegacyPolicyTest(AttachInterfacesPolicyTest):
|
|||
self.system_admin_context,
|
||||
self.project_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.project_reader_context,
|
||||
self.project_member_context,
|
||||
self.project_member_context
|
||||
]
|
||||
|
||||
# Check that non-system reader nd non-admin/owner is not able to
|
||||
# create or delete interfaces.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_foo_context,
|
||||
self.system_foo_context, self.other_project_member_context
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -37,7 +37,9 @@ class AvailabilityZonePolicyTest(base.BasePolicyTest):
|
|||
self.project_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_member_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context]
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_unauthorized_contexts = []
|
||||
|
||||
# Check that system reader is able to list the AZ Detail
|
||||
|
|
@ -54,7 +56,9 @@ class AvailabilityZonePolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.objects.Instance.save')
|
||||
def test_availability_zone_list_policy(self, mock_save):
|
||||
|
|
@ -96,5 +100,6 @@ class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest):
|
|||
self.system_foo_context, self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -47,7 +47,9 @@ class ConsoleAuthTokensPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.objects.ConsoleAuthToken.validate')
|
||||
def test_console_connect_info_token_policy(self, mock_validate):
|
||||
|
|
@ -84,5 +86,6 @@ class ConsoleAuthTokensScopeTypePolicyTest(ConsoleAuthTokensPolicyTest):
|
|||
self.legacy_admin_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -54,7 +54,8 @@ class ConsoleOutputPolicyTest(base.BasePolicyTest):
|
|||
self.admin_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.get_console_output')
|
||||
|
|
@ -107,4 +108,6 @@ class ConsoleOutputNoLegacyPolicyTest(ConsoleOutputPolicyTest):
|
|||
self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -54,7 +54,8 @@ class CreateBackupPolicyTest(base.BasePolicyTest):
|
|||
self.admin_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.backup')
|
||||
|
|
@ -113,4 +114,6 @@ class CreateBackupNoLegacyPolicyTest(CreateBackupPolicyTest):
|
|||
self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -58,7 +58,8 @@ class DeferredDeletePolicyTest(base.BasePolicyTest):
|
|||
self.admin_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.restore')
|
||||
|
|
@ -146,4 +147,6 @@ class DeferredDeleteNoLegacyPolicyTest(DeferredDeletePolicyTest):
|
|||
self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ class EvacuatePolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -151,5 +152,6 @@ class EvacuateNoLegacyPolicyTest(EvacuateScopeTypePolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ class FlavorAccessPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -71,7 +72,9 @@ class FlavorAccessPolicyTest(base.BasePolicyTest):
|
|||
self.project_reader_context, self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
self.reader_unauthorized_contexts = [
|
||||
]
|
||||
|
|
@ -130,6 +133,7 @@ class FlavorAccessScopeTypePolicyTest(FlavorAccessPolicyTest):
|
|||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -144,7 +148,9 @@ class FlavorAccessScopeTypePolicyTest(FlavorAccessPolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.other_project_member_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
class FlavorAccessNoLegacyPolicyTest(FlavorAccessPolicyTest):
|
||||
|
|
@ -176,6 +182,7 @@ class FlavorAccessNoLegacyPolicyTest(FlavorAccessPolicyTest):
|
|||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -190,4 +197,6 @@ class FlavorAccessNoLegacyPolicyTest(FlavorAccessPolicyTest):
|
|||
self.legacy_admin_context, self.other_project_member_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.system_foo_context]
|
||||
self.system_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ class FlavorManagePolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -114,6 +115,7 @@ class FlavorManageScopeTypePolicyTest(FlavorManagePolicyTest):
|
|||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -206,7 +206,8 @@ class FloatingIPNoLegacyPolicyTest(FloatingIPScopeTypePolicyTest):
|
|||
self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.project_foo_context,
|
||||
|
|
|
|||
|
|
@ -52,7 +52,9 @@ class HypervisorsPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def test_list_hypervisors_policy(self):
|
||||
rule_name = hv_policies.BASE_POLICY_NAME % 'list'
|
||||
|
|
@ -131,6 +133,7 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -73,7 +73,9 @@ class InstanceActionsPolicyTest(base.BasePolicyTest):
|
|||
self.system_reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
self.project_or_system_reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
|
|
@ -84,7 +86,8 @@ class InstanceActionsPolicyTest(base.BasePolicyTest):
|
|||
|
||||
self.project_or_system_reader_unauthorized_contexts = [
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def _set_policy_rules(self, overwrite=True):
|
||||
|
|
@ -295,7 +298,9 @@ class InstanceActionsNoLegacyPolicyTest(InstanceActionsPolicyTest):
|
|||
self.system_foo_context, self.legacy_admin_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that system or projct reader is able to
|
||||
# show the instance actions events.
|
||||
|
|
@ -310,5 +315,6 @@ class InstanceActionsNoLegacyPolicyTest(InstanceActionsPolicyTest):
|
|||
# show the instance actions events.
|
||||
self.project_or_system_reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_foo_context,
|
||||
self.system_foo_context, self.other_project_member_context
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@ class InstanceUsageAuditLogPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -92,6 +93,7 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -40,7 +40,8 @@ class KeypairsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_unauthorized_contexts = []
|
||||
|
||||
|
|
@ -55,7 +56,8 @@ class KeypairsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that system reader is able to get
|
||||
|
|
@ -69,7 +71,8 @@ class KeypairsPolicyTest(base.BasePolicyTest):
|
|||
self.system_reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.KeypairAPI.get_key_pairs')
|
||||
|
|
@ -192,6 +195,7 @@ class KeypairsNoLegacyPolicyTest(KeypairsScopeTypePolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
# Check that system reader is able to get
|
||||
|
|
@ -205,5 +209,6 @@ class KeypairsNoLegacyPolicyTest(KeypairsScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -60,7 +60,9 @@ class LimitsPolicyTest(base.BasePolicyTest):
|
|||
self.project_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_member_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context]
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_unauthorized_contexts = []
|
||||
|
||||
# Check that system reader is able to get other projects limit.
|
||||
|
|
@ -77,6 +79,7 @@ class LimitsPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -121,6 +124,7 @@ class LimitsScopeTypePolicyTest(LimitsPolicyTest):
|
|||
self.legacy_admin_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,8 @@ class LockServerPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that admin is able to unlock the server which is
|
||||
# locked by other
|
||||
|
|
@ -72,7 +73,8 @@ class LockServerPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.lock')
|
||||
|
|
@ -167,7 +169,8 @@ class LockServerNoLegacyPolicyTest(LockServerScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that system admin is able to unlock the server which is
|
||||
|
|
@ -181,7 +184,8 @@ class LockServerNoLegacyPolicyTest(LockServerScopeTypePolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
@ -206,7 +210,8 @@ class LockServerOverridePolicyTest(LockServerNoLegacyPolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def test_unlock_override_server_policy(self):
|
||||
|
|
|
|||
|
|
@ -57,7 +57,8 @@ class MigrateServerPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.resize')
|
||||
|
|
@ -122,7 +123,8 @@ class MigrateServerNoLegacyPolicyTest(MigrateServerScopeTypePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
@ -155,5 +157,6 @@ class MigrateServerOverridePolicyTest(MigrateServerNoLegacyPolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
|
|||
|
|
@ -42,7 +42,8 @@ class MigrationsPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.get_migrations')
|
||||
|
|
@ -78,5 +79,6 @@ class MigrationsScopeTypePolicyTest(MigrationsPolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -56,7 +56,8 @@ class MultinicPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.add_fixed_ip')
|
||||
|
|
|
|||
|
|
@ -100,7 +100,8 @@ class NetworksNoLegacyPolicyTest(NetworksScopeTypePolicyTest):
|
|||
self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.project_foo_context,
|
||||
|
|
|
|||
|
|
@ -58,7 +58,8 @@ class PauseServerPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.pause')
|
||||
|
|
@ -139,5 +140,6 @@ class PauseServerNoLegacyPolicyTest(PauseServerScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -40,7 +40,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system reader is able to get quota class
|
||||
self.system_reader_authorized_contexts = [
|
||||
|
|
@ -51,7 +52,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
|
|||
self.system_reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.objects.Quotas.update_class')
|
||||
|
|
@ -101,7 +103,8 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
|
|||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system reader is able to get quota class
|
||||
self.system_reader_authorized_contexts = [
|
||||
|
|
@ -112,7 +115,8 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -60,7 +60,8 @@ class RemoteConsolesPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def test_create_console_policy(self):
|
||||
|
|
@ -109,5 +110,6 @@ class RemoteConsolesNoLegacyPolicyTest(RemoteConsolesScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -59,7 +59,8 @@ class RescueServerPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.rescue')
|
||||
|
|
@ -145,5 +146,6 @@ class RescueServerNoLegacyPolicyTest(RescueServerScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -333,7 +333,8 @@ class SecurityGroupsNoLegacyPolicyTest(SecurityGroupsScopeTypePolicyTest):
|
|||
self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.project_foo_context,
|
||||
|
|
|
|||
|
|
@ -56,7 +56,8 @@ class ServerDiagnosticsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def test_server_diagnostics_policy(self):
|
||||
|
|
@ -102,7 +103,8 @@ class ServerDiagnosticsNoLegacyPolicyTest(
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
@ -133,5 +135,6 @@ class ServerDiagnosticsOverridePolicyTest(ServerDiagnosticsNoLegacyPolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -44,7 +44,8 @@ class ServerExternalEventsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.external_instance_event')
|
||||
|
|
@ -89,7 +90,8 @@ class ServerExternalEventsScopeTypePolicyTest(ServerExternalEventsPolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -56,7 +56,8 @@ class ServerGroupPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system reader or owner is able to get
|
||||
# the server group. Due to old default everyone
|
||||
|
|
@ -69,7 +70,8 @@ class ServerGroupPolicyTest(base.BasePolicyTest):
|
|||
]
|
||||
self.system_reader_or_owner_unauthorized_contexts = [
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that everyone is able to list
|
||||
# theie own server group. Due to old defaults everyone
|
||||
|
|
@ -80,7 +82,9 @@ class ServerGroupPolicyTest(base.BasePolicyTest):
|
|||
self.project_reader_context, self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_unauthorized_contexts = [
|
||||
]
|
||||
# Check that project member is able to create server group.
|
||||
|
|
@ -91,7 +95,9 @@ class ServerGroupPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.project_reader_context,
|
||||
self.project_foo_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context]
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.project_member_unauthorized_contexts = []
|
||||
|
||||
@mock.patch('nova.objects.InstanceGroupList.get_by_project_id')
|
||||
|
|
@ -175,7 +181,8 @@ class ServerGroupScopeTypePolicyTest(ServerGroupPolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check if non-project scoped cannot create the server group.
|
||||
self.project_member_unauthorized_contexts = [
|
||||
|
|
@ -211,7 +218,8 @@ class ServerGroupNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system reader or owner is able to get
|
||||
# the server group.
|
||||
|
|
@ -223,14 +231,16 @@ class ServerGroupNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
|
|||
]
|
||||
self.system_reader_or_owner_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_foo_context
|
||||
self.other_project_member_context, self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_authorized_contexts = [
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_unauthorized_contexts = [
|
||||
self.project_foo_context,
|
||||
|
|
@ -247,4 +257,5 @@ class ServerGroupNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_reader_context,
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -60,7 +60,8 @@ class ServerIpsPolicyTest(base.BasePolicyTest):
|
|||
# adderesses
|
||||
self.reader_or_owner_unauthorized_contexts = [
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def test_index_ips_policy(self):
|
||||
|
|
@ -116,4 +117,6 @@ class ServerIpsNoLegacyPolicyTest(ServerIpsScopeTypePolicyTest):
|
|||
# get the server IP adderesses.
|
||||
self.reader_or_owner_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_foo_context,
|
||||
self.system_foo_context, self.other_project_member_context]
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ class ServerMigrationsPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
# Check that system-reader are able to perform operations
|
||||
|
|
@ -69,7 +70,9 @@ class ServerMigrationsPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.get_migrations_in_progress_by_instance')
|
||||
def test_list_server_migrations_policy(self, mock_get):
|
||||
|
|
@ -145,7 +148,8 @@ class ServerMigrationsNoLegacyPolicyTest(ServerMigrationsScopeTypePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system reader is able to perform operations
|
||||
# for server migrations.
|
||||
|
|
@ -158,6 +162,7 @@ class ServerMigrationsNoLegacyPolicyTest(ServerMigrationsScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -195,7 +200,8 @@ class ServerMigrationsOverridePolicyTest(ServerMigrationsNoLegacyPolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
self.project_foo_context, self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system reader is able to perform operations
|
||||
# for server migrations.
|
||||
|
|
@ -207,5 +213,6 @@ class ServerMigrationsOverridePolicyTest(ServerMigrationsNoLegacyPolicyTest):
|
|||
# for server migrations.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_foo_context
|
||||
self.other_project_member_context, self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -1433,7 +1433,8 @@ class ServersNoLegacyPolicyTest(ServersScopeTypePolicyTest):
|
|||
self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
self.everyone_unauthorized_contexts = [
|
||||
self.project_foo_context,
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ class ServicesPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -62,7 +63,9 @@ class ServicesPolicyTest(base.BasePolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
def test_delete_service_policy(self):
|
||||
rule_name = "os_compute_api:os-services:delete"
|
||||
|
|
@ -128,6 +131,7 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -142,6 +146,7 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest):
|
|||
self.system_foo_context, self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,8 @@ class ShelveServerPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that admin is able to shelve offload the server.
|
||||
self.admin_authorized_contexts = [
|
||||
|
|
@ -66,7 +67,8 @@ class ShelveServerPolicyTest(base.BasePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.shelve')
|
||||
|
|
@ -157,7 +159,8 @@ class ShelveServerNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
# Check that system admin is able to shelve offload the server.
|
||||
self.admin_authorized_contexts = [
|
||||
|
|
@ -169,5 +172,6 @@ class ShelveServerNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
|
|||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -55,7 +55,8 @@ class SuspendServerPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch('nova.compute.api.API.suspend')
|
||||
|
|
@ -136,5 +137,6 @@ class SuspendServerNoLegacyPolicyTest(SuspendServerScopeTypePolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
self.project_foo_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -103,7 +103,8 @@ class VolumeAttachPolicyTest(base.BasePolicyTest):
|
|||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that admin is able to update the attached volume
|
||||
|
|
@ -121,7 +122,8 @@ class VolumeAttachPolicyTest(base.BasePolicyTest):
|
|||
self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context,
|
||||
self.project_reader_context
|
||||
self.project_reader_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
self.reader_authorized_contexts = [
|
||||
|
|
@ -133,7 +135,8 @@ class VolumeAttachPolicyTest(base.BasePolicyTest):
|
|||
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
@mock.patch.object(objects.BlockDeviceMappingList, 'get_by_instance_uuid')
|
||||
|
|
@ -255,6 +258,7 @@ class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -284,7 +288,8 @@ class VolumeAttachNoLegacyPolicyTest(VolumeAttachPolicyTest):
|
|||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.project_reader_context,
|
||||
self.project_foo_context, self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
# Check that admin is able to update the attached volume
|
||||
|
|
@ -298,6 +303,7 @@ class VolumeAttachNoLegacyPolicyTest(VolumeAttachPolicyTest):
|
|||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
|
@ -310,7 +316,8 @@ class VolumeAttachNoLegacyPolicyTest(VolumeAttachPolicyTest):
|
|||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_foo_context,
|
||||
self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context,
|
||||
]
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue