Merge "Ability to specify a host restricted to admin."

2012-11-06 18:06:38 +00:00 · 2012-11-06 18:06:38 +00:00 · 5f1b486f03
commit 5f1b486f03
parent f45c67e356 f17ebebcf7
3 changed files with 20 additions and 1 deletions
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@ -7,6 +7,7 @@
    "compute:create": "",
    "compute:create:attach_network": "",
    "compute:create:attach_volume": "",
+    "compute:create:forced_host": "is_admin:True",
    "compute:get_all": "",


--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@ -500,7 +500,8 @@ class API(base.Base):
            LOG.debug(_("Going to run %s instances...") % num_instances)

            filter_properties = dict(scheduler_hints=scheduler_hints)
-            if context.is_admin and forced_host:
+            if forced_host:
+                check_policy(context, 'create:forced_host', {})
                filter_properties['force_hosts'] = [forced_host]

            for i in xrange(num_instances):
--- a/nova/tests/compute/test_compute.py
+++ b/nova/tests/compute/test_compute.py
@ -5220,6 +5220,23 @@ class ComputePolicyTestCase(BaseTestCase):
                          self.compute_api.get_instance_faults,
                          self.context, instances)

+    def test_force_host_fail(self):
+        rules = {"compute:create": [],
+                 "compute:create:forced_host": [["role:fake"]]}
+        self._set_rules(rules)
+
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.compute_api.create, self.context, None, '1',
+                          availability_zone='1:1')
+
+    def test_force_host_pass(self):
+        rules = {"compute:create": [],
+                 "compute:create:forced_host": []}
+        self._set_rules(rules)
+
+        self.compute_api.create(self.context, None, '1',
+                                availability_zone='1:1')
+

 class ComputeHostAPITestCase(BaseTestCase):
    def setUp(self):