openstack/nova
Code Issues Proposed changes

Merge "Convert SYSTEM_ADMIN|READER to Admin and system scope"

Browse Source
This commit is contained in:
Zuul 2022-02-24 18:26:45 +00:00 committed by Gerrit Code Review
commit 6085783c64
15 changed files with 334 additions and 563 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nova/policies/aggregates.py
View File

@ -25,7 +25,7 @@ NEW_POLICY_ROOT = 'compute:aggregates:%s'
aggregates_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'set_metadata',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Create or replace metadata for an aggregate",
operations=[
{
@ -36,7 +36,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'add_host',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Add a host to an aggregate",
operations=[
{
@ -47,7 +47,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Create an aggregate",
operations=[
{
@ -58,7 +58,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'remove_host',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Remove a host from an aggregate",
operations=[
{
@ -69,7 +69,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Update name and/or availability zone for an aggregate",
operations=[
{
@ -80,7 +80,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List all aggregates",
operations=[
{
@ -91,7 +91,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Delete an aggregate",
operations=[
{
@ -102,7 +102,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="Show details for an aggregate",
operations=[
{
@ -113,7 +113,7 @@ aggregates_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=NEW_POLICY_ROOT % 'images',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Request image caching for an aggregate",
operations=[
{

2
nova/policies/availability_zone.py
View File

@ -36,7 +36,7 @@ availability_zone_policies = [
scope_types=['system', 'project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'detail',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List detailed availability zone information with host "
"information",
operations=[

4
nova/policies/baremetal_nodes.py
View File

@ -38,7 +38,7 @@ DEPRECATED_BAREMETAL_POLICY = policy.DeprecatedRule(
baremetal_nodes_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="""List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
@ -53,7 +53,7 @@ These APIs are proxy calls to the Ironic service and are deprecated.
deprecated_rule=DEPRECATED_BAREMETAL_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="""Show action details for a server.""",
operations=[
{

12
nova/policies/hosts.py
View File

@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
hosts_policies = [
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'list',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="""List physical hosts.
This API is deprecated in favor of os-hypervisors and os-services.""",
@ -52,7 +52,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'show',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="""Show physical host.
This API is deprecated in favor of os-hypervisors and os-services.""",
@ -66,7 +66,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'update',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="""Update physical host.
This API is deprecated in favor of os-hypervisors and os-services.""",
@ -80,7 +80,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'reboot',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="""Reboot physical host.
This API is deprecated in favor of os-hypervisors and os-services.""",
@ -94,7 +94,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'shutdown',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="""Shutdown physical host.
This API is deprecated in favor of os-hypervisors and os-services.""",
@ -108,7 +108,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'start',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="""Start physical host.
This API is deprecated in favor of os-hypervisors and os-services.""",

14
nova/policies/hypervisors.py
View File

@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
hypervisors_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List all hypervisors.",
operations=[
{
@ -49,7 +49,7 @@ hypervisors_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list-detail',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List all hypervisors with details",
operations=[
{
@ -61,7 +61,7 @@ hypervisors_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'statistics',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="Show summary statistics for all hypervisors "
"over all compute nodes.",
operations=[
@ -74,7 +74,7 @@ hypervisors_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="Show details for a hypervisor.",
operations=[
{
@ -86,7 +86,7 @@ hypervisors_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'uptime',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="Show the uptime of a hypervisor.",
operations=[
{
@ -98,7 +98,7 @@ hypervisors_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'search',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="Search hypervisor by hypervisor_hostname pattern.",
operations=[
{
@ -110,7 +110,7 @@ hypervisors_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'servers',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List all servers on hypervisors that can match "
"the provided hypervisor_hostname pattern.",
operations=[

4
nova/policies/quota_class_sets.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s'
quota_class_sets_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List quotas for specific quota classs",
operations=[
{
@ -35,7 +35,7 @@ quota_class_sets_policies = [
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Update quotas for specific quota class',
operations=[
{

6
nova/policies/services.py
View File

@ -37,7 +37,7 @@ DEPRECATED_SERVICE_POLICY = policy.DeprecatedRule(
services_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description="List all running Compute services in a region.",
operations=[
{
@ -49,7 +49,7 @@ services_policies = [
deprecated_rule=DEPRECATED_SERVICE_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'update',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Update a Compute service.",
operations=[
{
@ -62,7 +62,7 @@ services_policies = [
deprecated_rule=DEPRECATED_SERVICE_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description="Delete a Compute service.",
operations=[
{

2
nova/tests/unit/policies/base.py
View File

@ -139,6 +139,8 @@ class BasePolicyTest(test.TestCase):
# To simulate the new world, remove deprecations by overriding
# rules which has the deprecated rules.
self.rules_without_deprecation.update({
"context_is_admin":
"role:admin",
"system_admin_or_owner":
"rule:system_admin_api or rule:project_member_api",
"system_or_project_reader":

151
nova/tests/unit/policies/test_aggregates.py
View File

@ -31,39 +31,19 @@ class AggregatesPolicyTest(base.BasePolicyTest):
super(AggregatesPolicyTest, self).setUp()
self.controller = aggregates.AggregateController()
self.req = fakes.HTTPRequest.blank('')
# Check that admin is able to perform Aggregate Operations
self.admin_authorized_contexts = [
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to perform Aggregate
# Operations.
self.system_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
# Check that non-admin is not able to perform Aggregate Operations
self.admin_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
# Check that system reader is able to get Aggregate
self.system_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-admin is not able to get Aggregate
self.system_reader_unauthorized_contexts = [
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
@mock.patch('nova.compute.api.AggregateAPI.get_aggregate_list')
def test_list_aggregate_policy(self, mock_list):
rule_name = "os_compute_api:os-aggregates:index"
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.index,
self.req)
@mock.patch('nova.compute.api.AggregateAPI.create_aggregate')
def test_create_aggregate_policy(self, mock_create):
@ -74,66 +54,59 @@ class AggregatesPolicyTest(base.BasePolicyTest):
"hosts": ["host1", "host2"]})
body = {"aggregate": {"name": "test",
"availability_zone": "nova1"}}
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name,
self.controller.create,
self.req, body=body)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller.create,
self.req, body=body)
@mock.patch('nova.compute.api.AggregateAPI.update_aggregate')
def test_update_aggregate_policy(self, mock_update):
rule_name = "os_compute_api:os-aggregates:update"
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name, self.controller.update,
self.req, 1,
body={"aggregate": {"name": "new_name"}})
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.update,
self.req, 1,
body={"aggregate": {"name": "new_name"}})
@mock.patch('nova.compute.api.AggregateAPI.delete_aggregate')
def test_delete_aggregate_policy(self, mock_delete):
rule_name = "os_compute_api:os-aggregates:delete"
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name,
self.controller.delete,
self.req, 1)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller.delete,
self.req, 1)
@mock.patch('nova.compute.api.AggregateAPI.get_aggregate')
def test_show_aggregate_policy(self, mock_show):
rule_name = "os_compute_api:os-aggregates:show"
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name, self.controller.show,
self.req, 1)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.show,
self.req, 1)
@mock.patch('nova.compute.api.AggregateAPI.update_aggregate_metadata')
def test_set_metadata_aggregate_policy(self, mock_metadata):
rule_name = "os_compute_api:os-aggregates:set_metadata"
body = {"set_metadata": {"metadata": {"foo": "bar"}}}
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name,
self.controller._set_metadata,
self.req, 1, body=body)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller._set_metadata,
self.req, 1, body=body)
@mock.patch('nova.compute.api.AggregateAPI.add_host_to_aggregate')
def test_add_host_aggregate_policy(self, mock_add):
rule_name = "os_compute_api:os-aggregates:add_host"
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name, self.controller._add_host,
self.req, 1,
body={"add_host": {"host": "host1"}})
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller._add_host,
self.req, 1,
body={"add_host": {"host": "host1"}})
@mock.patch('nova.compute.api.AggregateAPI.remove_host_from_aggregate')
def test_remove_host_aggregate_policy(self, mock_remove):
rule_name = "os_compute_api:os-aggregates:remove_host"
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name,
self.controller._remove_host,
self.req, 1,
body={"remove_host": {"host": "host1"}})
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller._remove_host,
self.req, 1,
body={"remove_host": {"host": "host1"}})
@mock.patch('nova.compute.api.AggregateAPI.get_aggregate')
def test_images_aggregate_policy(self, mock_get):
@ -144,10 +117,21 @@ class AggregatesPolicyTest(base.BasePolicyTest):
body = {'cache': [{'id': uuids.fake_id}]}
req = fakes.HTTPRequest.blank('', version='2.81')
with mock.patch('nova.conductor.api.ComputeTaskAPI.cache_images'):
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name, self.controller.images,
req, 1, body=body)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.images,
req, 1, body=body)
class AggregatesNoLegacyNoScopePolicyTest(AggregatesPolicyTest):
"""Test Aggregates APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In this case
system admin, legacy admin, and project admin will be able to
perform Aggregate Operations. Legacy admin will be allowed as policy
is just admin if no scope checks.
"""
without_deprecated_rules = True
class AggregatesScopeTypePolicyTest(AggregatesPolicyTest):
@ -164,28 +148,15 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest):
super(AggregatesScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system admin is able to perform Aggregate Operations.
self.admin_authorized_contexts = [
self.system_admin_context]
# Check that non-system or non-admin is not able to perform
# With scope checks enable, only system admin is able to perform
# Aggregate Operations.
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.project_admin_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
# Check that system reader is able to get Aggregate
self.system_reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-admin is not able to get Aggregate
self.system_reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
self.system_admin_authorized_contexts = [self.system_admin_context]
class AggregatesScopeTypeNoLegacyPolicyTest(AggregatesScopeTypePolicyTest):
"""Test Aggregates APIs policies with no legacy deprecated rules
and scope checks enabled which means scope + new defaults so
only system admin is able to perform aggregates Operations.
"""
without_deprecated_rules = True

80
nova/tests/unit/policies/test_availability_zone.py
View File

@ -31,49 +31,37 @@ class AvailabilityZonePolicyTest(base.BasePolicyTest):
self.controller = availability_zone.AvailabilityZoneController()
self.req = fakes.HTTPRequest.blank('')
# Check that everyone is able to list the AZ
self.everyone_authorized_contexts = [
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to get AZ with host
# information.
self.system_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.project_member_context, self.other_project_member_context,
self.project_foo_context, self.project_reader_context,
self.other_project_reader_context,
]
self.everyone_unauthorized_contexts = []
# Check that system reader is able to list the AZ Detail
# NOTE(gmann): Until old default rule which is admin_api is
# deprecated and not removed, project admin and legacy admin
# will be able to list the AZ. This make sure that existing
# tokens will keep working even we have changed this policy defaults
# to reader role.
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context, self.legacy_admin_context,
self.project_admin_context]
# Check that non-system-reader are not able to list the AZ.
self.reader_unauthorized_contexts = [
self.system_foo_context, self.other_project_member_context,
self.project_foo_context, self.project_member_context,
self.project_reader_context,
self.other_project_reader_context,
]
@mock.patch('nova.objects.Instance.save')
def test_availability_zone_list_policy(self, mock_save):
rule_name = "os_compute_api:os-availability-zone:list"
self.common_policy_check(self.everyone_authorized_contexts,
self.everyone_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
self.common_policy_auth(self.all_contexts,
rule_name, self.controller.index,
self.req)
def test_availability_zone_detail_policy(self):
rule_name = "os_compute_api:os-availability-zone:detail"
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.detail,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.detail,
self.req)
class AvailabilityZoneNoLegacyNoScopePolicyTest(AvailabilityZonePolicyTest):
"""Test Availability Zones APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In this case
system admin, legacy admin, and project admin will be able to get
AZ with host information. Legacy admin will be allowed as policy
is just admin if no scope checks.
"""
without_deprecated_rules = True
class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest):
@ -91,15 +79,15 @@ class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest):
super(AvailabilityZoneScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system reader is able to list the AZ.
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system-reader is not able to list AZ.
self.reader_unauthorized_contexts = [
self.system_foo_context, self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context,
self.other_project_reader_context,
]
# With scope checks enable, only system admin is able to get
# AZ with host information.
self.system_admin_authorized_contexts = [self.system_admin_context]
class AZScopeTypeNoLegacyPolicyTest(AvailabilityZoneScopeTypePolicyTest):
"""Test Availability Zones APIs policies with no legacy deprecated rules
and scope checks enabled which means scope + new defaults so
only system admin is able to get AZ with host information.
"""
without_deprecated_rules = True

69
nova/tests/unit/policies/test_baremetal_nodes.py
View File

@ -40,25 +40,17 @@ class BaremetalNodesPolicyTest(base.BasePolicyTest):
self.stub_out('nova.api.openstack.compute.'
'baremetal_nodes._get_ironic_client',
lambda *_: FAKE_IRONIC_CLIENT)
# Check that system reader is able to get baremetal nodes.
self.system_reader_authorized_contexts = [
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to get baremetal nodes.
self.system_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system-reader is not able to get baremetal nodes.
self.system_reader_unauthorized_contexts = [
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context,
self.other_project_reader_context
]
self.project_admin_context]
def test_index_nodes_policy(self):
rule_name = "os_compute_api:os-baremetal-nodes:list"
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.index,
self.req)
@mock.patch.object(FAKE_IRONIC_CLIENT.node, 'list_ports')
@mock.patch.object(FAKE_IRONIC_CLIENT.node, 'get')
@ -69,11 +61,22 @@ class BaremetalNodesPolicyTest(base.BasePolicyTest):
mock_get.return_value = node
mock_port.return_value = []
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name,
self.controller.show,
self.req, uuids.fake_id)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller.show,
self.req, uuids.fake_id)
class BaremetalNodesNoLegacyNoScopePolicyTest(BaremetalNodesPolicyTest):
"""Test Baremetal Nodes APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In that case
system admin, legacy admin, and project admin will be able to get
Baremetal nodes Legacy admin will be allowed as policy is just admin if
no scope checks.
"""
without_deprecated_rules = True
class BaremetalNodesScopeTypePolicyTest(BaremetalNodesPolicyTest):
@ -91,28 +94,20 @@ class BaremetalNodesScopeTypePolicyTest(BaremetalNodesPolicyTest):
super(BaremetalNodesScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system reader is able to get baremetal nodes.
self.system_reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system or non-reader is not able to get
# With scope checks enable, only system admin is able to get
# baremetal nodes.
self.system_reader_unauthorized_contexts = [
self.legacy_admin_context, self.system_foo_context,
self.project_admin_context, self.project_member_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context,
self.other_project_reader_context
]
self.system_admin_authorized_contexts = [self.system_admin_context]
class BaremetalNodesNoLegacyPolicyTest(BaremetalNodesScopeTypePolicyTest):
"""Test Baremetal Nodes APIs policies with system scope enabled,
and no more deprecated rules.
class BNScopeTypeNoLegacyPolicyTest(BaremetalNodesScopeTypePolicyTest):
"""Test Baremetal Nodes APIs policies with no legacy deprecated rules
and scope checks enabled which means scope + new defaults so
only system admin is able to get baremetal nodes.
"""
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'list':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
policies.BASE_POLICY_NAME % 'show':
base_policy.SYSTEM_READER}
base_policy.ADMIN}

151
nova/tests/unit/policies/test_hosts.py
View File

@ -32,37 +32,19 @@ class HostsPolicyTest(base.BasePolicyTest):
self.controller = hosts.HostController()
self.req = fakes.HTTPRequest.blank('')
# Check that admin is able to perform operations on hosts.
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to perform hosts
# Operations.
self.system_admin_authorized_contexts = [
self.system_admin_context, self.legacy_admin_context,
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
# Check that non-admin is not able to perform operations
# on hosts.
self.system_admin_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.other_project_member_context,
self.project_foo_context, self.project_member_context,
self.project_reader_context, self.other_project_reader_context
]
self.system_reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context, self.legacy_admin_context,
self.project_admin_context
]
self.system_reader_unauthorized_contexts = [
self.project_foo_context, self.system_foo_context,
self.project_member_context, self.project_reader_context,
self.other_project_member_context,
self.other_project_reader_context
]
@mock.patch('nova.compute.api.HostAPI.service_get_all')
def test_list_hosts_policy(self, mock_get):
rule_name = policies.POLICY_NAME % 'list'
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.index,
self.req)
@mock.patch('nova.context.set_target_cell')
@mock.patch('nova.objects.HostMapping.get_by_host')
@ -71,41 +53,48 @@ class HostsPolicyTest(base.BasePolicyTest):
@mock.patch('nova.compute.api.HostAPI.instance_get_all_by_host')
def test_show_host_policy(self, mock_get, mock_node, mock_map, mock_set):
rule_name = policies.POLICY_NAME % 'show'
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name, self.controller.show,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.show,
self.req, 11111)
def test_update_host_policy(self):
rule_name = policies.POLICY_NAME % 'update'
self.common_policy_check(self.system_admin_authorized_contexts,
self.system_admin_unauthorized_contexts,
rule_name, self.controller.update,
self.req, 11111, body={})
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.update,
self.req, 11111, body={})
@mock.patch('nova.compute.api.HostAPI.host_power_action')
def test_reboot_host_policy(self, mock_action):
rule_name = policies.POLICY_NAME % 'reboot'
self.common_policy_check(self.system_admin_authorized_contexts,
self.system_admin_unauthorized_contexts,
rule_name, self.controller.reboot,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.reboot,
self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.host_power_action')
def test_shutdown_host_policy(self, mock_action):
rule_name = policies.POLICY_NAME % 'shutdown'
self.common_policy_check(self.system_admin_authorized_contexts,
self.system_admin_unauthorized_contexts,
rule_name, self.controller.shutdown,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.shutdown,
self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.host_power_action')
def test_startup_host_policy(self, mock_action):
rule_name = policies.POLICY_NAME % 'start'
self.common_policy_check(self.system_admin_authorized_contexts,
self.system_admin_unauthorized_contexts,
rule_name, self.controller.startup,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.startup,
self.req, 11111)
class HostsNoLegacyNoScopePolicyTest(HostsPolicyTest):
"""Test Hosts APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In this case
system admin, legacy admin, and project admin will be able to perform
hosts Operations. Legacy admin will be allowed as policy is just admin
if no scope checks.
"""
without_deprecated_rules = True
class HostsScopeTypePolicyTest(HostsPolicyTest):
@ -122,72 +111,28 @@ class HostsScopeTypePolicyTest(HostsPolicyTest):
super(HostsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system admin is able to perform operations on hosts.
self.system_admin_authorized_contexts = [
self.system_admin_context]
# Check that system non-admin is not able to perform operations
# on hosts.
self.system_admin_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.other_project_member_context,
self.project_foo_context, self.project_member_context,
self.project_reader_context, self.other_project_reader_context
]
self.system_reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context
]
self.system_reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_foo_context,
self.system_foo_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.other_project_member_context,
self.other_project_reader_context
]
# With scope checks enable, only system admin is able to perform
# hosts Operations.
self.system_admin_authorized_contexts = [self.system_admin_context]
class HostsNoLegacyPolicyTest(HostsScopeTypePolicyTest):
"""Test Hosts APIs policies with system scope enabled,
and no more deprecated rules that allow the legacy admin API to
access system_admin_or_owner APIs.
class HostsScopeTypeNoLegacyPolicyTest(HostsScopeTypePolicyTest):
"""Test Hosts APIs policies with with no legacy deprecated rules
and scope checks enabled which means scope + new defaults. So
only system admin is able to perform hosts Operations.
"""
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'list':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
policies.POLICY_NAME % 'show':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
policies.POLICY_NAME % 'update':
base_policy.SYSTEM_ADMIN,
base_policy.ADMIN,
policies.POLICY_NAME % 'reboot':
base_policy.SYSTEM_ADMIN,
base_policy.ADMIN,
policies.POLICY_NAME % 'shutdown':
base_policy.SYSTEM_ADMIN,
base_policy.ADMIN,
policies.POLICY_NAME % 'startup':
base_policy.SYSTEM_ADMIN}
def setUp(self):
super(HostsNoLegacyPolicyTest, self).setUp()
self.system_reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context
]
self.system_reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_foo_context,
self.system_foo_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.other_project_member_context,
self.other_project_reader_context
]
self.system_admin_authorized_contexts = [
self.system_admin_context
]
self.system_admin_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.project_admin_context, self.project_member_context,
self.legacy_admin_context, self.other_project_member_context,
self.project_reader_context, self.project_foo_context,
self.system_foo_context, self.other_project_reader_context
]
base_policy.ADMIN}

123
nova/tests/unit/policies/test_hypervisors.py
View File

@ -36,76 +36,67 @@ class HypervisorsPolicyTest(base.BasePolicyTest):
self.controller.host_api.service_get_by_compute_host = mock.MagicMock()
self.controller.host_api.compute_node_get = mock.MagicMock()
# Check that system scoped admin, member and reader are able to
# perform operations on hypervisors.
# NOTE(gmann): Until old default rule which is admin_api is
# deprecated and not removed, project admin and legacy admin
# will be able to get hypervisors. This make sure that existing
# tokens will keep working even we have changed this policy defaults
# to reader role.
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context, self.legacy_admin_context,
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to perform hypervisors
# Operations.
self.system_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
# Check that non-system-reader are not able to perform operations
# on hypervisors
self.reader_unauthorized_contexts = [
self.system_foo_context, self.other_project_member_context,
self.project_foo_context, self.project_member_context,
self.project_reader_context,
self.other_project_reader_context,
]
def test_list_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'list'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.index,
self.req)
def test_list_details_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'list-detail'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.detail,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.detail,
self.req)
def test_show_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'show'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.show,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.show,
self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.get_host_uptime')
def test_uptime_hypervisors_policy(self, mock_uptime):
rule_name = hv_policies.BASE_POLICY_NAME % 'uptime'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.uptime,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.uptime,
self.req, 11111)
def test_search_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'search'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.search,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.search,
self.req, 11111)
def test_servers_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'servers'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.servers,
self.req, 11111)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.servers,
self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.compute_node_statistics')
def test_statistics_hypervisors_policy(self, mock_statistics):
rule_name = hv_policies.BASE_POLICY_NAME % 'statistics'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.statistics,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.statistics,
self.req)
class HypervisorsNoLegacyNoScopePolicyTest(HypervisorsPolicyTest):
"""Test Hypervisors APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In this case
system admin, legacy admin, and project admin will be able to perform
Hypervisors Operations. Legacy admin will be allowed as policy is just
admin if no scope checks.
"""
without_deprecated_rules = True
class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
@ -122,40 +113,32 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
super(HypervisorsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system reader is able to perform operations
# on hypervisors.
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system-reader is not able to perform operations
# on hypervisors.
self.reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
# With scope checks enable, only system admin is able to perform
# hypervisors Operations.
self.system_admin_authorized_contexts = [self.system_admin_context]
class HypervisorsNoLegacyPolicyTest(HypervisorsScopeTypePolicyTest):
"""Test Hypervisors APIs policies with system scope enabled,
and no more deprecated rules.
class HypervisorsScopeTypeNoLegacyPolicyTest(HypervisorsScopeTypePolicyTest):
"""Test Hypervisors APIs policies with no legacy deprecated rules
and scope checks enabled which means scope + new defaults so
only system admin is able to perform hypervisors Operations.
"""
without_deprecated_rules = True
rules_without_deprecation = {
hv_policies.BASE_POLICY_NAME % 'list':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'list-detail':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'show':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'statistics':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'uptime':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'search':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'servers':
base_policy.SYSTEM_READER,
base_policy.ADMIN,
}

97
nova/tests/unit/policies/test_quota_class_sets.py
View File

@ -31,30 +31,12 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
self.controller = quota_classes.QuotaClassSetsController()
self.req = fakes.HTTPRequest.blank('')
# Check that admin is able to update quota class
self.admin_authorized_contexts = [
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to get, update quota
# class.
self.system_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
# Check that non-admin is not able to update quota class
self.admin_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
# Check that system reader is able to get quota class
self.system_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system reader is not able to get quota class
self.system_reader_unauthorized_contexts = [
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
@mock.patch('nova.objects.Quotas.update_class')
def test_update_quota_class_sets_policy(self, mock_update):
@ -64,21 +46,30 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
'ram': 51200, 'floating_ips': -1,
'fixed_ips': -1, 'instances': 10,
'injected_files': 5, 'cores': 20}}
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name,
self.controller.update,
self.req, 'test_class',
body=body)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller.update,
self.req, 'test_class',
body=body)
@mock.patch('nova.quota.QUOTAS.get_class_quotas')
def test_show_quota_class_sets_policy(self, mock_get):
rule_name = policies.POLICY_ROOT % 'show'
self.common_policy_check(self.system_reader_authorized_contexts,
self.system_reader_unauthorized_contexts,
rule_name,
self.controller.show,
self.req, 'test_class')
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name,
self.controller.show,
self.req, 'test_class')
class QuotaClassSetsNoLegacyNoScopePolicyTest(QuotaClassSetsPolicyTest):
"""Test QuotaClassSets APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In this case
system admin, legacy admin, and project admin will be able to get
update quota class. Legacy admin will be allowed as policy
is just admin if no scope checks.
"""
without_deprecated_rules = True
class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
@ -94,38 +85,16 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
def setUp(self):
super(QuotaClassSetsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system admin is able to update and get quota class
self.admin_authorized_contexts = [
self.system_admin_context]
# Check that non-system/admin is not able to update and get quota class
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.project_admin_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
# Check that system reader is able to get quota class
self.system_reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system reader is not able to get quota class
self.system_reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
# With scope checks enable, only system admin is able to update
# and get quota class.
self.system_admin_authorized_contexts = [self.system_admin_context]
class QuotaClassSetsNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest):
"""Test Quota Class Sets APIs policies with system scope enabled,
and no more deprecated rules that allow the legacy admin API to
access system APIs.
class QuotaClassScopeTypeNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest):
"""Test QuotaClassSets APIs policies with no legacy deprecated rules
and scope checks enabled which means scope + new defaults so
only system admin is able to update and get quota class.
"""
without_deprecated_rules = True
def setUp(self):
super(QuotaClassSetsNoLegacyPolicyTest, self).setUp()

164
nova/tests/unit/policies/test_services.py
View File

@ -14,9 +14,6 @@
import mock
from nova.api.openstack.compute import services as services_v21
from nova import exception
from nova.policies import base as base_policy
from nova.tests import fixtures
from nova.tests.unit.api.openstack import fakes
from nova.tests.unit.policies import base
@ -34,64 +31,36 @@ class ServicesPolicyTest(base.BasePolicyTest):
super(ServicesPolicyTest, self).setUp()
self.controller = services_v21.ServiceController()
self.req = fakes.HTTPRequest.blank('/services')
# Check that admin is able to change the service
self.admin_authorized_contexts = [
# With legacy rule and scope check disabled by default, system admin,
# legacy admin, and project admin will be able to perform Services
# Operations.
self.system_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
# Check that non-admin is not able to change the service
self.admin_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
# Check that system scoped admin, member and reader are able to
# read the service data.
# NOTE(gmann): Until old default rule which is admin_api is
# deprecated and not removed, project admin and legacy admin
# will be able to read the service data. This make sure that existing
# tokens will keep working even we have changed this policy defaults
# to reader role.
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context, self.legacy_admin_context,
self.project_admin_context]
# Check that non-system-reader are not able to read the service
# data
self.reader_unauthorized_contexts = [
self.system_foo_context, self.other_project_member_context,
self.project_foo_context, self.project_member_context,
self.project_reader_context,
self.other_project_reader_context,
]
def test_delete_service_policy(self):
rule_name = "os_compute_api:os-services:delete"
with mock.patch('nova.compute.api.HostAPI.service_get_by_id'):
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name, self.controller.delete,
self.req, 1)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.delete,
self.req, 1)
def test_index_service_policy(self):
rule_name = "os_compute_api:os-services:list"
with mock.patch('nova.compute.api.HostAPI.service_get_all'):
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.index,
self.req)
def test_old_update_service_policy(self):
rule_name = "os_compute_api:os-services:update"
body = {'host': 'host1', 'binary': 'nova-compute'}
update = 'nova.compute.api.HostAPI.service_update_by_host_and_binary'
with mock.patch(update):
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name, self.controller.update,
self.req, 'enable', body=body)
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.update,
self.req, 'enable', body=body)
def test_update_service_policy(self):
rule_name = "os_compute_api:os-services:update"
@ -100,11 +69,25 @@ class ServicesPolicyTest(base.BasePolicyTest):
service = self.start_service(
'compute', 'fake-compute-host').service_ref
with mock.patch('nova.compute.api.HostAPI.service_update'):
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
rule_name, self.controller.update,
req, service.uuid,
body={'status': 'enabled'})
self.common_policy_auth(self.system_admin_authorized_contexts,
rule_name, self.controller.update,
req, service.uuid,
body={'status': 'enabled'})
class ServicesNoLegacyNoScopePolicyTest(ServicesPolicyTest):
"""Test Services APIs policies with no legacy deprecated rules
and no scope checks which means new defaults only. In this case
system admin, legacy admin, and project admin will be able to
perform Service Operations. Legacy admin will be allowed as policy
is just admin if no scope checks.
"""
without_deprecated_rules = True
def setUp(self):
super(ServicesNoLegacyNoScopePolicyTest, self).setUp()
class ServicesScopeTypePolicyTest(ServicesPolicyTest):
@ -122,80 +105,15 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest):
super(ServicesScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system admin is able to change the service
self.admin_authorized_contexts = [
self.system_admin_context]
# Check that non-system or non-admin is not able to change the service
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.project_admin_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
# Check that system admin, member and reader are able to read the
# service data
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non-system or non-reader are not able to read the service
# data
self.reader_unauthorized_contexts = [
self.system_foo_context, self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.other_project_member_context,
self.other_project_reader_context,
self.project_foo_context, self.project_reader_context
]
# With scope checks enable, only system admin is able to perform
# Service Operations.
self.system_admin_authorized_contexts = [self.system_admin_context]
class ServicesDeprecatedPolicyTest(base.BasePolicyTest):
"""Test os-services APIs Deprecated policies.
This class checks if deprecated policy rules are
overridden by user on policy.yaml file then they
still work because oslo.policy add deprecated rules
in logical OR condition and enforce them for policy
checks if overridden.
class ServicesScopeTypeNoLegacyPolicyTest(ServicesScopeTypePolicyTest):
"""Test Services APIs policies with no legacy deprecated rules
and scope checks enabled which means scope + new defaults so
only system admin is able to perform Services Operations.
"""
def setUp(self):
super(ServicesDeprecatedPolicyTest, self).setUp()
self.controller = services_v21.ServiceController()
self.member_req = fakes.HTTPRequest.blank('')
self.member_req.environ['nova.context'] = self.system_reader_context
self.reader_req = fakes.HTTPRequest.blank('')
self.reader_req.environ['nova.context'] = self.project_reader_context
self.deprecated_policy = "os_compute_api:os-services"
# Overridde rule with different checks than defaults so that we can
# verify the rule overridden case.
override_rules = {self.deprecated_policy: base_policy.SYSTEM_READER}
# NOTE(gmann): Only override the deprecated rule in policy file so
# that
# we can verify if overridden checks are considered by oslo.policy.
# Oslo.policy will consider the overridden rules if:
# 1. overridden deprecated rule's checks are different than defaults
# 2. new rules are not present in policy file
self.policy = self.useFixture(fixtures.OverridePolicyFixture(
rules_in_file=override_rules))
def test_deprecated_policy_overridden_rule_is_checked(self):
# Test to verify if deprecatd overridden policy is working.
# check for success as member role. Deprecated rule
# has been overridden with member checks in policy.yaml
# If member role pass it means overridden rule is enforced by
# olso.policy because new default is system admin and the old
# default is admin.
with mock.patch('nova.compute.api.HostAPI.service_get_by_id'):
self.controller.index(self.member_req)
# check for failure with reader context.
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.index, self.reader_req)
self.assertEqual(
"Policy doesn't allow os_compute_api:os-services:list to be"
" performed.",
exc.format_message())
without_deprecated_rules = True