diff --git a/nova/policies/hosts.py b/nova/policies/hosts.py index 53467dadefa0..191d0c088224 100644 --- a/nova/policies/hosts.py +++ b/nova/policies/hosts.py @@ -23,12 +23,12 @@ BASE_POLICY_NAME = 'os_compute_api:os-hosts' hosts_policies = [ policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - """List, show and manage physical hosts. + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API, + description="""List, show and manage physical hosts. These APIs are all deprecated in favor of os-hypervisors and os-services.""", - [ + operations=[ { 'method': 'GET', 'path': '/os-hosts' @@ -53,7 +53,8 @@ These APIs are all deprecated in favor of os-hypervisors and os-services.""", 'method': 'GET', 'path': '/os-hosts/{host_name}/startup' } - ]), + ], + scope_types=['system']), ] diff --git a/nova/tests/unit/policies/test_hosts.py b/nova/tests/unit/policies/test_hosts.py index 2973588b3255..f2e4c1c4eda6 100644 --- a/nova/tests/unit/policies/test_hosts.py +++ b/nova/tests/unit/policies/test_hosts.py @@ -108,3 +108,15 @@ class HostsScopeTypePolicyTest(HostsPolicyTest): def setUp(self): super(HostsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to perform operations on hosts. + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that system non-admin is not able to perform operations + # on hosts. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.project_admin_context, + self.system_member_context, self.system_reader_context, + self.system_foo_context, self.other_project_member_context, + self.project_foo_context, self.project_member_context, + self.project_reader_context, self.other_project_reader_context]