Browse Source

Merge "Introduce scope_types in os-instance-usage-audit-log"

tags/21.0.0.0rc1
Zuul 4 months ago
committed by Gerrit Code Review
parent
commit
7b51647f17
2 changed files with 21 additions and 7 deletions
  1. +8
    -7
      nova/policies/instance_usage_audit_log.py
  2. +13
    -0
      nova/tests/unit/policies/test_instance_usage_audit_log.py

+ 8
- 7
nova/policies/instance_usage_audit_log.py View File

@@ -23,12 +23,12 @@ BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'

instance_usage_audit_log_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"List all usage audits and that occurred before a specified time "
"for all servers on all compute hosts where usage auditing is "
"configured",
[
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API,
description="List all usage audits and that occurred before "
"a specified time for all servers on all compute hosts where "
"usage auditing is configured",
operations=[
{
'method': 'GET',
'path': '/os-instance_usage_audit_log'
@@ -37,7 +37,8 @@ instance_usage_audit_log_policies = [
'method': 'GET',
'path': '/os-instance_usage_audit_log/{before_timestamp}'
}
]),
],
scope_types=['system']),
]




+ 13
- 0
nova/tests/unit/policies/test_instance_usage_audit_log.py View File

@@ -75,3 +75,16 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
def setUp(self):
super(InstanceUsageScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")

# Check that system admin is able to get instance usage audit log.
self.admin_authorized_contexts = [
self.system_admin_context]
# Check that non-system-admin is not able to get instance
# usage audit log.
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.project_admin_context,
self.system_foo_context, self.project_member_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context
]

Loading…
Cancel
Save