From 55e16ea11fc1dafacae5ac8b404909ff705aa9da Mon Sep 17 00:00:00 2001 From: Ghanshyam Date: Thu, 30 Jan 2020 20:50:27 -0600 Subject: [PATCH] Remove old policy enforcement in attach_interfaces os-attach-interfaces API policy for create and delete have been granular in Icf1f0dd12920a2c6126e52a548f3fa4636b431d6 and old rule enforcement were kept to support the old deployement. It's been 3.5 years and we did not remove the old rule from these two APIs. This commit removes the old rule enforcement. Partial implement blueprint policy-defaults-refresh [1] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/attach_interfaces.py#L142 Change-Id: Icdf6302b332ccf23f36c4106c194af71877f2813 --- .../openstack/compute/attach_interfaces.py | 4 --- .../compute/test_attach_interfaces.py | 28 +++---------------- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/nova/api/openstack/compute/attach_interfaces.py b/nova/api/openstack/compute/attach_interfaces.py index ff53d92e6bfb..23bb19053b68 100644 --- a/nova/api/openstack/compute/attach_interfaces.py +++ b/nova/api/openstack/compute/attach_interfaces.py @@ -140,8 +140,6 @@ class InterfaceAttachmentController(wsgi.Controller): context = req.environ['nova.context'] instance = common.get_instance(self.compute_api, context, server_id) - context.can(ai_policies.BASE_POLICY_NAME, - target={'project_id': instance.project_id}) context.can(ai_policies.POLICY_ROOT % 'create', target={'project_id': instance.project_id}) @@ -205,8 +203,6 @@ class InterfaceAttachmentController(wsgi.Controller): instance = common.get_instance(self.compute_api, context, server_id, expected_attrs=['device_metadata']) - context.can(ai_policies.BASE_POLICY_NAME, - target={'project_id': instance.project_id}) context.can(ai_policies.POLICY_ROOT % 'delete', target={'project_id': instance.project_id}) port_id = id diff --git a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py index caf9fcbede18..669d85f81944 100644 --- a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py +++ b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py @@ -613,39 +613,19 @@ class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase): exc.format_message()) def test_create_attach_interfaces_policy_failed(self): + rule_name = "os_compute_api:os-attach-interfaces:create" exc = self.assertRaises( exception.PolicyNotAuthorized, self.controller.create, self.req, fakes.FAKE_UUID, body={}) self.assertEqual( - "Policy doesn't allow %s to be performed." % self.rule_name, + "Policy doesn't allow %s to be performed." % rule_name, exc.format_message()) def test_delete_attach_interfaces_policy_failed(self): + rule_name = "os_compute_api:os-attach-interfaces:delete" exc = self.assertRaises( exception.PolicyNotAuthorized, self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1) self.assertEqual( - "Policy doesn't allow %s to be performed." % self.rule_name, + "Policy doesn't allow %s to be performed." % rule_name, exc.format_message()) - - def test_attach_interfaces_create_policy_failed(self): - self.policy.set_rules({self.rule_name: "@", - 'os_compute_api:os-attach-interfaces:create': - "!"}) - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.create, self.req, fakes.FAKE_UUID, body={}) - self.assertEqual( - "Policy doesn't allow os_compute_api:os-attach-interfaces:create " - "to be performed.", exc.format_message()) - - def test_attach_interfaces_delete_policy_failed(self): - self.policy.set_rules({self.rule_name: "@", - 'os_compute_api:os-attach-interfaces:delete': - "!"}) - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1) - self.assertEqual( - "Policy doesn't allow os_compute_api:os-attach-interfaces:delete " - "to be performed.", exc.format_message())