Remove old policy enforcement in attach_interfaces

os-attach-interfaces API policy for create and delete have been granular in Icf1f0dd12920a2c6126e52a548f3fa4636b431d6 and old rule enforcement were kept to support the old deployement. It's been 3.5 years and we did not remove the old rule from these two APIs. This commit removes the old rule enforcement. Partial implement blueprint policy-defaults-refresh [1] c16315165c/nova/api/openstack/compute/attach_interfaces.py (L142) Change-Id: Icdf6302b332ccf23f36c4106c194af71877f2813
2020-01-30 20:50:27 -06:00 · 2020-01-30 20:50:27 -06:00 · 55e16ea11f
parent 5aa8df8f5c
commit 55e16ea11f
2 changed files with 4 additions and 28 deletions
--- a/nova/api/openstack/compute/attach_interfaces.py
+++ b/nova/api/openstack/compute/attach_interfaces.py
@ -140,8 +140,6 @@ class InterfaceAttachmentController(wsgi.Controller):
        context = req.environ['nova.context']
        instance = common.get_instance(self.compute_api, context, server_id)

-        context.can(ai_policies.BASE_POLICY_NAME,
-                    target={'project_id': instance.project_id})
        context.can(ai_policies.POLICY_ROOT % 'create',
                    target={'project_id': instance.project_id})

@ -205,8 +203,6 @@ class InterfaceAttachmentController(wsgi.Controller):
        instance = common.get_instance(self.compute_api, context, server_id,
                                       expected_attrs=['device_metadata'])

-        context.can(ai_policies.BASE_POLICY_NAME,
-                    target={'project_id': instance.project_id})
        context.can(ai_policies.POLICY_ROOT % 'delete',
                    target={'project_id': instance.project_id})
        port_id = id
--- a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py
+++ b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py
@ -613,39 +613,19 @@ class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase):
            exc.format_message())

    def test_create_attach_interfaces_policy_failed(self):
+        rule_name = "os_compute_api:os-attach-interfaces:create"
        exc = self.assertRaises(
            exception.PolicyNotAuthorized,
            self.controller.create, self.req, fakes.FAKE_UUID, body={})
        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % self.rule_name,
+            "Policy doesn't allow %s to be performed." % rule_name,
            exc.format_message())

    def test_delete_attach_interfaces_policy_failed(self):
+        rule_name = "os_compute_api:os-attach-interfaces:delete"
        exc = self.assertRaises(
            exception.PolicyNotAuthorized,
            self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % self.rule_name,
+            "Policy doesn't allow %s to be performed." % rule_name,
            exc.format_message())
-
-    def test_attach_interfaces_create_policy_failed(self):
-        self.policy.set_rules({self.rule_name: "@",
-                               'os_compute_api:os-attach-interfaces:create':
-                               "!"})
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller.create, self.req, fakes.FAKE_UUID, body={})
-        self.assertEqual(
-            "Policy doesn't allow os_compute_api:os-attach-interfaces:create "
-            "to be performed.", exc.format_message())
-
-    def test_attach_interfaces_delete_policy_failed(self):
-        self.policy.set_rules({self.rule_name: "@",
-                               'os_compute_api:os-attach-interfaces:delete':
-                               "!"})
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
-        self.assertEqual(
-            "Policy doesn't allow os_compute_api:os-attach-interfaces:delete "
-            "to be performed.", exc.format_message())