Merge "Introduce scope_types in os-instance-usage-audit-log"
This commit is contained in:
commit
7b51647f17
|
@ -23,12 +23,12 @@ BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'
|
|||
|
||||
instance_usage_audit_log_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
BASE_POLICY_NAME,
|
||||
base.RULE_ADMIN_API,
|
||||
"List all usage audits and that occurred before a specified time "
|
||||
"for all servers on all compute hosts where usage auditing is "
|
||||
"configured",
|
||||
[
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="List all usage audits and that occurred before "
|
||||
"a specified time for all servers on all compute hosts where "
|
||||
"usage auditing is configured",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/os-instance_usage_audit_log'
|
||||
|
@ -37,7 +37,8 @@ instance_usage_audit_log_policies = [
|
|||
'method': 'GET',
|
||||
'path': '/os-instance_usage_audit_log/{before_timestamp}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -75,3 +75,16 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
|
|||
def setUp(self):
|
||||
super(InstanceUsageScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
# Check that system admin is able to get instance usage audit log.
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context]
|
||||
# Check that non-system-admin is not able to get instance
|
||||
# usage audit log.
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue