Remove old policy enforcement in attach_interfaces
os-attach-interfaces API policy for create and delete
have been granular in Icf1f0dd12920a2c6126e52a548f3fa4636b431d6
and old rule enforcement were kept to support the old deployement.
It's been 3.5 years and we did not remove the old rule from
these two APIs.
This commit removes the old rule enforcement.
Partial implement blueprint policy-defaults-refresh
[1] c16315165c/nova/api/openstack/compute/attach_interfaces.py (L142)
Change-Id: Icdf6302b332ccf23f36c4106c194af71877f2813
This commit is contained in:
parent
5aa8df8f5c
commit
55e16ea11f
|
@ -140,8 +140,6 @@ class InterfaceAttachmentController(wsgi.Controller):
|
|||
context = req.environ['nova.context']
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
|
||||
context.can(ai_policies.BASE_POLICY_NAME,
|
||||
target={'project_id': instance.project_id})
|
||||
context.can(ai_policies.POLICY_ROOT % 'create',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
|
@ -205,8 +203,6 @@ class InterfaceAttachmentController(wsgi.Controller):
|
|||
instance = common.get_instance(self.compute_api, context, server_id,
|
||||
expected_attrs=['device_metadata'])
|
||||
|
||||
context.can(ai_policies.BASE_POLICY_NAME,
|
||||
target={'project_id': instance.project_id})
|
||||
context.can(ai_policies.POLICY_ROOT % 'delete',
|
||||
target={'project_id': instance.project_id})
|
||||
port_id = id
|
||||
|
|
|
@ -613,39 +613,19 @@ class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase):
|
|||
exc.format_message())
|
||||
|
||||
def test_create_attach_interfaces_policy_failed(self):
|
||||
rule_name = "os_compute_api:os-attach-interfaces:create"
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.create, self.req, fakes.FAKE_UUID, body={})
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % self.rule_name,
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_delete_attach_interfaces_policy_failed(self):
|
||||
rule_name = "os_compute_api:os-attach-interfaces:delete"
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % self.rule_name,
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_attach_interfaces_create_policy_failed(self):
|
||||
self.policy.set_rules({self.rule_name: "@",
|
||||
'os_compute_api:os-attach-interfaces:create':
|
||||
"!"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.create, self.req, fakes.FAKE_UUID, body={})
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow os_compute_api:os-attach-interfaces:create "
|
||||
"to be performed.", exc.format_message())
|
||||
|
||||
def test_attach_interfaces_delete_policy_failed(self):
|
||||
self.policy.set_rules({self.rule_name: "@",
|
||||
'os_compute_api:os-attach-interfaces:delete':
|
||||
"!"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow os_compute_api:os-attach-interfaces:delete "
|
||||
"to be performed.", exc.format_message())
|
||||
|
|
Loading…
Reference in New Issue