Browse Source

Merge "Add new default roles in server password policies"

tags/21.0.0.0rc1
Zuul 2 months ago
committed by Gerrit Code Review
parent
commit
86655fe07f
5 changed files with 106 additions and 18 deletions
  1. +2
    -2
      nova/api/openstack/compute/server_password.py
  2. +30
    -5
      nova/policies/server_password.py
  3. +2
    -1
      nova/tests/unit/fake_policy.py
  4. +70
    -9
      nova/tests/unit/policies/test_server_password.py
  5. +2
    -1
      nova/tests/unit/test_policy.py

+ 2
- 2
nova/api/openstack/compute/server_password.py View File

@@ -32,7 +32,7 @@ class ServerPasswordController(wsgi.Controller):
def index(self, req, server_id):
context = req.environ['nova.context']
instance = common.get_instance(self.compute_api, context, server_id)
context.can(sp_policies.BASE_POLICY_NAME,
context.can(sp_policies.BASE_POLICY_NAME % 'show',
target={'project_id': instance.project_id})

passw = password.extract_password(instance)
@@ -49,7 +49,7 @@ class ServerPasswordController(wsgi.Controller):

context = req.environ['nova.context']
instance = common.get_instance(self.compute_api, context, server_id)
context.can(sp_policies.BASE_POLICY_NAME,
context.can(sp_policies.BASE_POLICY_NAME % 'clear',
target={'project_id': instance.project_id})
meta = password.convert_password(context, None)
instance.system_metadata.update(meta)


+ 30
- 5
nova/policies/server_password.py View File

@@ -18,26 +18,51 @@ from oslo_policy import policy
from nova.policies import base


BASE_POLICY_NAME = 'os_compute_api:os-server-password'
BASE_POLICY_NAME = 'os_compute_api:os-server-password:%s'

DEPRECATED_POLICY = policy.DeprecatedRule(
'os_compute_api:os-server-password',
base.RULE_ADMIN_OR_OWNER,
)

DEPRECATED_REASON = """
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
"""


server_password_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER,
description="Show and clear the encrypted administrative "
name=BASE_POLICY_NAME % 'show',
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
description="Show the encrypted administrative "
"password of a server",
operations=[
{
'method': 'GET',
'path': '/servers/{server_id}/os-server-password'
},
],
scope_types=['system', 'project'],
deprecated_rule=DEPRECATED_POLICY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'clear',
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
description="Clear the encrypted administrative "
"password of a server",
operations=[
{
'method': 'DELETE',
'path': '/servers/{server_id}/os-server-password'
}
],
scope_types=['system', 'project']),
scope_types=['system', 'project'],
deprecated_rule=DEPRECATED_POLICY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
]




+ 2
- 1
nova/tests/unit/fake_policy.py View File

@@ -93,7 +93,8 @@ policy_data = """
"os_compute_api:os-security-groups:add": "",
"os_compute_api:os-security-groups:remove": "",
"os_compute_api:os-server-diagnostics": "",
"os_compute_api:os-server-password": "",
"os_compute_api:os-server-password:show": "",
"os_compute_api:os-server-password:clear": "",
"os_compute_api:os-server-tags:index": "",
"os_compute_api:os-server-tags:show": "",
"os_compute_api:os-server-tags:update": "",


+ 70
- 9
nova/tests/unit/policies/test_server_password.py View File

@@ -15,6 +15,7 @@ import mock
from oslo_utils.fixture import uuidsentinel as uuids

from nova.api.openstack.compute import server_password
from nova.policies import base as base_policy
from nova.policies import server_password as policies
from nova.tests.unit.api.openstack import fakes
from nova.tests.unit import fake_instance
@@ -41,32 +42,45 @@ class ServerPasswordPolicyTest(base.BasePolicyTest):
system_metadata={}, expected_attrs=['system_metadata'])
self.mock_get.return_value = self.instance

# Check that admin or and server owner is able to get
# and delete the server password.
# Check that admin or and server owner is able to
# delete the server password.
self.admin_or_owner_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
# Check that non-admin/owner is not able to get and delete
# Check that non-admin/owner is not able to delete
# the server password.
self.admin_or_owner_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_member_context
self.system_foo_context, self.other_project_member_context,
self.other_project_reader_context
]
# Check that admin or and server owner is able to get
# the server password.
self.reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.system_member_context, self.system_reader_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
# Check that non-admin/owner is not able to get
# the server password.
self.reader_unauthorized_contexts = [
self.system_foo_context, self.other_project_member_context,
self.other_project_reader_context
]

@mock.patch('nova.api.metadata.password.extract_password')
def test_index_server_password_policy(self, mock_pass):
rule_name = policies.BASE_POLICY_NAME
self.common_policy_check(self.admin_or_owner_authorized_contexts,
self.admin_or_owner_unauthorized_contexts,
rule_name = policies.BASE_POLICY_NAME % 'show'
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name,
self.controller.index,
self.req, self.instance.uuid)

@mock.patch('nova.api.metadata.password.convert_password')
def test_clear_server_password_policy(self, mock_pass):
rule_name = policies.BASE_POLICY_NAME
rule_name = policies.BASE_POLICY_NAME % 'clear'
self.common_policy_check(self.admin_or_owner_authorized_contexts,
self.admin_or_owner_unauthorized_contexts,
rule_name,
@@ -87,3 +101,50 @@ class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
def setUp(self):
super(ServerPasswordScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")


class ServerPasswordNoLegacyPolicyTest(ServerPasswordScopeTypePolicyTest):
"""Test Server Password APIs policies with system scope enabled,
and no more deprecated rules that allow the legacy admin API to
access system_admin_or_owner APIs.
"""
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER_OR_SYSTEM_READER,
policies.BASE_POLICY_NAME % 'clear':
base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN}

def setUp(self):
super(ServerPasswordNoLegacyPolicyTest, self).setUp()

# Check that system or projct admin or owner is able to clear
# server password.
self.admin_or_owner_authorized_contexts = [
self.system_admin_context,
self.project_admin_context, self.project_member_context]
# Check that non-system and non-admin/owner is not able to clear
# server password.
self.admin_or_owner_unauthorized_contexts = [
self.legacy_admin_context, self.project_reader_context,
self.project_foo_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.other_project_member_context,
self.other_project_reader_context]

# Check that system reader or projct owner is able to get
# server password.
self.reader_authorized_contexts = [
self.system_admin_context,
self.project_admin_context, self.system_member_context,
self.system_reader_context, self.project_reader_context,
self.project_member_context,
]

# Check that non-system reader nd non-admin/owner is not able to get
# server password.
self.reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_foo_context,
self.system_foo_context, self.other_project_member_context,
self.other_project_reader_context
]

+ 2
- 1
nova/tests/unit/test_policy.py View File

@@ -429,7 +429,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-security-groups",
"os_compute_api:os-security-groups:add",
"os_compute_api:os-security-groups:remove",
"os_compute_api:os-server-password",
"os_compute_api:os-server-password:clear",
"os_compute_api:os-server-tags:delete",
"os_compute_api:os-server-tags:delete_all",
"os_compute_api:os-server-tags:update",
@@ -479,6 +479,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-attach-interfaces:show",
"os_compute_api:os-instance-actions:list",
"os_compute_api:os-instance-actions:show",
"os_compute_api:os-server-password:show",
"os_compute_api:os-server-tags:index",
"os_compute_api:os-server-tags:show",
)


Loading…
Cancel
Save