openstack
/
nova
Code Issues Proposed changes

Keep legacy admin behaviour in new RBAC 

While discussing the new RBAC (scope_type and project admin vs
system admin things) with operators in berlin ops meetup and
via emails, and policy popup meetings, we got the feedback that
we need to keep the legacy admin behaviour same as it is otherwise
it is going to be a big breaking change for many of the operators.
Same feedback for scope_type.

- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback

By considering the feedback, we decided to postpone the
system scope implementation, release project reader
role and not to change the legacy admin behaviour.

To keep the legacy admin behaviour unchanged, we need to
modify our policy new default so that legacy admin continue
to have the access to the APIs they are able to access in
old RBAC. Basically the below changes:

- PROJECT_ADMIN -> ADMIN (legacy admin who can do things in all projects)
- PROJECT_MEMBER -> PROJECT_MEMBER_OR_ADMIN (give access to legacy admin too)
- PROJECT_READER -> PROJECT_READER_OR_ADMIN (give access to legacy admin too)

Complete direction on RBAC is updated in community wide goal
- https://review.opendev.org/c/openstack/governance/+/847418/13

Change-Id: I37e706f75a36fb27da1bdd5fba671cb1bcadc745
This commit is contained in:
Ghanshyam Mann 2022-07-09 19:30:38 -05:00 committed by Ghanshyam
parent 066e1e69d1
commit 909b0b0247
74 changed files with 488 additions and 628 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nova/policies/admin_actions.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-admin-actions:%s'
admin_actions_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'reset_state',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Reset the state of a given server",
operations=[
{
@ -35,7 +35,7 @@ admin_actions_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'inject_network_info',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Inject network information into the server",
operations=[
{

2
nova/policies/admin_password.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-admin-password'
admin_password_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Change the administrative password for a server",
operations=[
{

4
nova/policies/assisted_volume_snapshots.py
View File

@ -29,7 +29,7 @@ assisted_volume_snapshots_policies = [
# can call it with user having 'service' role (not having
# correct project_id). That is for phase-2 of RBAC goal and until
# then, we keep it open for all admin in any project. We cannot
# default it to PROJECT_ADMIN which has the project_id in
# default it to ADMIN which has the project_id in
# check_str and will fail if cinder call it with other project_id.
check_str=base.ADMIN,
description="Create an assisted volume snapshot",
@ -47,7 +47,7 @@ assisted_volume_snapshots_policies = [
# can call it with user having 'service' role (not having
# correct project_id). That is for phase-2 of RBAC goal and until
# then, we keep it open for all admin in any project. We cannot
# default it to PROJECT_ADMIN which has the project_id in
# default it to ADMIN which has the project_id in
# check_str and will fail if cinder call it with other project_id.
check_str=base.ADMIN,
description="Delete an assisted volume snapshot",

8
nova/policies/attach_interfaces.py
View File

@ -37,7 +37,7 @@ DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule(
attach_interfaces_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List port interfaces attached to a server",
operations=[
{
@ -49,7 +49,7 @@ attach_interfaces_policies = [
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show details of a port interface attached to a server",
operations=[
{
@ -61,7 +61,7 @@ attach_interfaces_policies = [
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Attach an interface to a server",
operations=[
{
@ -73,7 +73,7 @@ attach_interfaces_policies = [
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Detach an interface from a server",
operations=[
{

44
nova/policies/base.py
View File

@ -36,28 +36,26 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'
)
PROJECT_ADMIN = 'rule:project_admin_api'
ADMIN = 'rule:context_is_admin'
PROJECT_MEMBER = 'rule:project_member_api'
PROJECT_READER = 'rule:project_reader_api'
PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
ADMIN = 'rule:context_is_admin'
# NOTE(gmann): Below is the mapping of new roles and scope_types
# with legacy roles::
# NOTE(gmann): Below is the mapping of new roles with legacy roles::
# Legacy Rule | New Rules |Operation |scope_type|
# -------------------+---------------------+----------------+-----------
# |-> ADMIN |Global resource | [system]
# RULE_ADMIN_API | |Write & Read |
# |-> PROJECT_ADMIN |Project resource| [project]
# | |Write |
# ----------------------------------------------------------------------
# |-> PROJECT_ADMIN |Project resource| [project]
# | |Write |
# |-> PROJECT_MEMBER |Project resource| [project]
# RULE_ADMIN_OR_OWNER| |Write |
# |-> PROJECT_READER |Project resource| [project]
# | |Read |
# Legacy Rule | New Rules |Operation |scope_type|
# -------------------+---------------------------+----------------+-----------
# RULE_ADMIN_API |-> ADMIN |Global resource | [project]
# | |Write & Read |
# -------------------+---------------------------+----------------+-----------
# |-> ADMIN |Project admin | [project]
# | |level operation |
# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project]
# | |Write |
# |-> PROJECT_READER_OR_ADMIN |Project resource| [project]
# | |Read |
# NOTE(johngarbutt) The base rules here affect so many APIs the list
# of related API operations has not been populated. It would be
@ -91,11 +89,6 @@ rules = [
deprecated_for_removal=True,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
policy.RuleDefault(
"project_admin_api",
"role:admin and project_id:%(project_id)s",
"Default rule for Project level admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY),
policy.RuleDefault(
"project_member_api",
"role:member and project_id:%(project_id)s",
@ -106,10 +99,15 @@ rules = [
"role:reader and project_id:%(project_id)s",
"Default rule for Project level read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
policy.RuleDefault(
"project_member_or_admin",
"rule:project_member_api or rule:context_is_admin",
"Default rule for Project Member or admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
policy.RuleDefault(
"project_reader_or_admin",
"rule:project_reader_api or rule:context_is_admin",
"Default rule for Project reader and admin APIs.",
"Default rule for Project reader or admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
]

2
nova/policies/console_auth_tokens.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
console_auth_tokens_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Show console connection information for a given console "
"authentication token",
operations=[

2
nova/policies/console_output.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output'
console_output_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description='Show console output for a server',
operations=[
{

2
nova/policies/create_backup.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
create_backup_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description='Create a back up of a server',
operations=[
{

4
nova/policies/deferred_delete.py
View File

@ -36,7 +36,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
deferred_delete_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'restore',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Restore a soft deleted server",
operations=[
{
@ -48,7 +48,7 @@ deferred_delete_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'force',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Force delete a server before deferred cleanup",
operations=[
{

2
nova/policies/evacuate.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-evacuate'
evacuate_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Evacuate a server from a failed host to a new host",
operations=[
{

2
nova/policies/extended_server_attributes.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
extended_server_attributes_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:

12
nova/policies/floating_ips.py
View File

@ -38,7 +38,7 @@ DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
floating_ips_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'add',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Associate floating IPs to server. "
" This API is deprecated.",
operations=[
@ -51,7 +51,7 @@ floating_ips_policies = [
deprecated_rule=DEPRECATED_FIP_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'remove',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Disassociate floating IPs to server. "
" This API is deprecated.",
operations=[
@ -64,7 +64,7 @@ floating_ips_policies = [
deprecated_rule=DEPRECATED_FIP_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List floating IPs. This API is deprecated.",
operations=[
{
@ -76,7 +76,7 @@ floating_ips_policies = [
deprecated_rule=DEPRECATED_FIP_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create floating IPs. This API is deprecated.",
operations=[
{
@ -88,7 +88,7 @@ floating_ips_policies = [
deprecated_rule=DEPRECATED_FIP_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show floating IPs. This API is deprecated.",
operations=[
{
@ -100,7 +100,7 @@ floating_ips_policies = [
deprecated_rule=DEPRECATED_FIP_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete floating IPs. This API is deprecated.",
operations=[
{

8
nova/policies/instance_actions.py
View File

@ -38,7 +38,7 @@ DEPRECATED_INSTANCE_ACTION_POLICY = policy.DeprecatedRule(
instance_actions_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'events:details',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""Add "details" key in action events for a server.
This check is performed only after the check
@ -59,7 +59,7 @@ but in the other hand it might leak information about the deployment
scope_types=['project']),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'events',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""Add events details in action details for a server.
This check is performed only after the check
os_compute_api:os-instance-actions:show passes. Beginning with Microversion
@ -76,7 +76,7 @@ passes, the name of the host.""",
scope_types=['project']),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""List actions for a server.""",
operations=[
{
@ -88,7 +88,7 @@ passes, the name of the host.""",
deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""Show action details for a server.""",
operations=[
{

4
nova/policies/ips.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:ips:%s'
ips_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show IP addresses details for a network label of a "
" server",
operations=[
@ -36,7 +36,7 @@ ips_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List IP addresses that are assigned to a server",
operations=[
{

2
nova/policies/limits.py
View File

@ -49,7 +49,7 @@ limits_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=OTHER_PROJECT_LIMIT_POLICY_NAME,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""Show rate and absolute limits of other project.
This policy only checks if the user has access to the requested

6
nova/policies/lock_server.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
lock_server_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'lock',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Lock a server",
operations=[
{
@ -36,7 +36,7 @@ lock_server_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'unlock',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Unlock a server",
operations=[
{
@ -48,7 +48,7 @@ lock_server_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'unlock:unlock_override',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""Unlock a server, regardless who locked the server.
This check is performed only after the check

4
nova/policies/migrate_server.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s'
migrate_server_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'migrate',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Cold migrate a server to a host",
operations=[
{
@ -35,7 +35,7 @@ migrate_server_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'migrate_live',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Live migrate a server to a new host without a reboot",
operations=[
{

2
nova/policies/migrations.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s'
migrations_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="List migrations",
operations=[
{

4
nova/policies/multinic.py
View File

@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
multinic_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'add',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Add a fixed IP address to a server.
This API is proxy calls to the Network service. This is
@ -53,7 +53,7 @@ deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'remove',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Remove a fixed IP address from a server.
This API is proxy calls to the Network service. This is

4
nova/policies/networks.py
View File

@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
networks_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""List networks for the project.
This API is proxy calls to the Network service. This is deprecated.""",
@ -52,7 +52,7 @@ This API is proxy calls to the Network service. This is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""Show network details.
This API is proxy calls to the Network service. This is deprecated.""",

4
nova/policies/pause_server.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
pause_server_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'pause',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Pause a server",
operations=[
{
@ -36,7 +36,7 @@ pause_server_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'unpause',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Unpause a paused server",
operations=[
{

14
nova/policies/quota_sets.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s'
quota_sets_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Update the quotas",
operations=[
{
@ -46,13 +46,7 @@ quota_sets_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
# TODO(gmann): Until we have domain admin or so to get other project's
# data, allow admin role(with scope check it will be project admin) to
# get other project quota. We cannot use PROJECT_ADMIN here as
# project_id passed in request url is used as policy targets which
# would not match with context's project_id fetched for rule
# PROJECT_ADMIN check.
check_str='(' + base.PROJECT_READER + ') or role:admin',
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show a quota",
operations=[
{
@ -63,7 +57,7 @@ quota_sets_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Revert quotas to defaults",
operations=[
{
@ -77,7 +71,7 @@ quota_sets_policies = [
# TODO(gmann): Until we have domain admin or so to get other project's
# data, allow admin role(with scope check it will be project admin) to
# get other project quota.
check_str='(' + base.PROJECT_READER + ') or role:admin',
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show the detail of quota",
operations=[
{

2
nova/policies/remote_consoles.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles'
remote_consoles_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Generate a URL to access remove server console.
This policy is for ``POST /remote-consoles`` API and below Server actions APIs

4
nova/policies/rescue.py
View File

@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
rescue_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Rescue a server",
operations=[
{
@ -48,7 +48,7 @@ rescue_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=UNRESCUE_POLICY_NAME,
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Unrescue a server",
operations=[
{

20
nova/policies/security_groups.py
View File

@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
security_groups_policies = [
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'get',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List security groups. This API is deprecated.",
operations=[
{
@ -50,7 +50,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show security group. This API is deprecated.",
operations=[
{
@ -62,7 +62,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create security group. This API is deprecated.",
operations=[
{
@ -74,7 +74,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'update',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Update security group. This API is deprecated.",
operations=[
{
@ -86,7 +86,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete security group. This API is deprecated.",
operations=[
{
@ -98,7 +98,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'rule:create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create security group Rule. This API is deprecated.",
operations=[
{
@ -110,7 +110,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'rule:delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete security group Rule. This API is deprecated.",
operations=[
{
@ -122,7 +122,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List security groups of server.",
operations=[
{
@ -134,7 +134,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'add',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Add security groups to server.",
operations=[
{
@ -146,7 +146,7 @@ security_groups_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'remove',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Remove security groups from server.",
operations=[
{

2
nova/policies/server_diagnostics.py
View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics'
server_diagnostics_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Show the usage data for a server",
operations=[
{

2
nova/policies/server_external_events.py
View File

@ -30,7 +30,7 @@ server_external_events_policies = [
# neutron can call it with user having 'service' role (not having
# server's project_id). That is for phase-2 of RBAC goal and until
# then, we keep it open for all admin in any project. We cannot
# default it to PROJECT_ADMIN which has the project_id in
# default it to ADMIN which has the project_id in
# check_str and will fail if neutron call it with other project_id.
check_str=base.ADMIN,
description="Create one or more external events",

10
nova/policies/server_groups.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-groups:%s'
server_groups_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create a new server group",
operations=[
{
@ -36,7 +36,7 @@ server_groups_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete a server group",
operations=[
{
@ -48,7 +48,7 @@ server_groups_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all server groups",
operations=[
{
@ -60,7 +60,7 @@ server_groups_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index:all_projects',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="List all server groups for all projects",
operations=[
{
@ -72,7 +72,7 @@ server_groups_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show details of a server group",
operations=[
{

12
nova/policies/server_metadata.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s'
server_metadata_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all metadata of a server",
operations=[
{
@ -36,7 +36,7 @@ server_metadata_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show metadata for a server",
operations=[
{
@ -48,7 +48,7 @@ server_metadata_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create metadata for a server",
operations=[
{
@ -60,7 +60,7 @@ server_metadata_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update_all',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Replace metadata for a server",
operations=[
{
@ -72,7 +72,7 @@ server_metadata_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Update metadata from a server",
operations=[
{
@ -84,7 +84,7 @@ server_metadata_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete metadata from a server",
operations=[
{

4
nova/policies/server_password.py
View File

@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
server_password_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show the encrypted administrative "
"password of a server",
operations=[
@ -50,7 +50,7 @@ server_password_policies = [
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'clear',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Clear the encrypted administrative "
"password of a server",
operations=[

12
nova/policies/server_tags.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
server_tags_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete_all',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete all the server tags",
operations=[
{
@ -35,7 +35,7 @@ server_tags_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all tags for given server",
operations=[
{
@ -46,7 +46,7 @@ server_tags_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update_all',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Replace all tags on specified server with the new set "
"of tags.",
operations=[
@ -59,7 +59,7 @@ server_tags_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete a single tag from the specified server",
operations=[
{
@ -71,7 +71,7 @@ server_tags_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Add a single tag to the server if server has no "
"specified tag",
operations=[
@ -84,7 +84,7 @@ server_tags_policies = [
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Check tag existence on the server.",
operations=[
{

4
nova/policies/server_topology.py
View File

@ -21,7 +21,7 @@ BASE_POLICY_NAME = 'compute:server:topology:%s'
server_topology_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show the NUMA topology data for a server",
operations=[
{
@ -33,7 +33,7 @@ server_topology_policies = [
policy.DocumentedRuleDefault(
# Control host NUMA node and cpu pinning information
name=BASE_POLICY_NAME % 'host:index',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Show the NUMA topology data for a server with host "
"NUMA ID and CPU pinning information",
operations=[

60
nova/policies/servers.py
View File

@ -36,7 +36,7 @@ not for list extra specs and showing it in flavor API response.
rules = [
policy.DocumentedRuleDefault(
name=SERVERS % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all servers",
operations=[
{
@ -47,7 +47,7 @@ rules = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'detail',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all servers with detailed information",
operations=[
{
@ -58,7 +58,7 @@ rules = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'index:get_all_tenants',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="List all servers for all projects",
operations=[
{
@ -70,7 +70,7 @@ rules = [
policy.DocumentedRuleDefault(
name=SERVERS % 'detail:get_all_tenants',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="List all servers with detailed information for "
" all projects",
operations=[
@ -82,7 +82,7 @@ rules = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'allow_all_filters',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Allow all filters when listing servers",
operations=[
{
@ -97,7 +97,7 @@ rules = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show a server",
operations=[
{
@ -108,7 +108,7 @@ rules = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'show:flavor-extra-specs',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Starting with microversion 2.47, the flavor and its "
"extra specs used for a server is also returned in the response "
"when showing server details, updating a server or rebuilding a "
@ -140,7 +140,7 @@ rules = [
# should do that by default.
policy.DocumentedRuleDefault(
name=SERVERS % 'show:host_status',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""
Show a server with additional host status information.
@ -174,7 +174,7 @@ API responses which are also controlled by this policy rule, like the
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'show:host_status:unknown-only',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""
Show a server with additional host status information, only if host status is
UNKNOWN.
@ -207,7 +207,7 @@ allow everyone.
scope_types=['project'],),
policy.DocumentedRuleDefault(
name=SERVERS % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create a server",
operations=[
{
@ -218,7 +218,7 @@ allow everyone.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'create:forced_host',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""
Create a server on the specified host and/or node.
@ -235,7 +235,7 @@ host and/or node by bypassing the scheduler filters unlike the
scope_types=['project']),
policy.DocumentedRuleDefault(
name=REQUESTED_DESTINATION,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""
Create a server on the requested compute service host and/or
hypervisor_hostname.
@ -253,7 +253,7 @@ validated by the scheduler filters unlike the
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'create:attach_volume',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create a server with the requested volume attached to it",
operations=[
{
@ -264,7 +264,7 @@ validated by the scheduler filters unlike the
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'create:attach_network',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create a server with the requested network attached "
" to it",
operations=[
@ -276,7 +276,7 @@ validated by the scheduler filters unlike the
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'create:trusted_certs',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create a server with trusted image certificate IDs",
operations=[
{
@ -287,7 +287,7 @@ validated by the scheduler filters unlike the
scope_types=['project']),
policy.DocumentedRuleDefault(
name=ZERO_DISK_FLAVOR,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="""
This rule controls the compute API validation behavior of creating a server
with a flavor that has 0 disk, indicating the server should be volume-backed.
@ -312,7 +312,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=NETWORK_ATTACH_EXTERNAL,
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Attach an unshared external network to a server",
operations=[
# Create a server with a requested network or port.
@ -329,7 +329,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Delete a server",
operations=[
{
@ -340,7 +340,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'update',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Update a server",
operations=[
{
@ -351,7 +351,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'confirm_resize',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Confirm a server resize",
operations=[
{
@ -362,7 +362,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'revert_resize',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Revert a server resize",
operations=[
{
@ -373,7 +373,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'reboot',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Reboot a server",
operations=[
{
@ -384,7 +384,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'resize',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Resize a server",
operations=[
{
@ -410,7 +410,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'rebuild',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Rebuild a server",
operations=[
{
@ -421,7 +421,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'rebuild:trusted_certs',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Rebuild a server with trusted image certificate IDs",
operations=[
{
@ -432,7 +432,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'create_image',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create an image from a server",
operations=[
{
@ -443,7 +443,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'create_image:allow_volume_backed',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Create an image from a volume backed server",
operations=[
{
@ -454,7 +454,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'start',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Start a server",
operations=[
{
@ -465,7 +465,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'stop',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Stop a server",
operations=[
{
@ -476,7 +476,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=SERVERS % 'trigger_crash_dump',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Trigger crash dump in a server",
operations=[
{

8
nova/policies/servers_migrations.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:servers:migrations:%s'
servers_migrations_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Show details for an in-progress live migration for a "
"given server",
operations=[
@ -36,7 +36,7 @@ servers_migrations_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'force_complete',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Force an in-progress live migration for a given server "
"to complete",
operations=[
@ -49,7 +49,7 @@ servers_migrations_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Delete(Abort) an in-progress live migration",
operations=[
{
@ -60,7 +60,7 @@ servers_migrations_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Lists in-progress live migrations for a given server",
operations=[
{

8
nova/policies/shelve.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s'
shelve_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'shelve',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Shelve server",
operations=[
{
@ -35,7 +35,7 @@ shelve_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'unshelve',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Unshelve (restore) shelved server",
operations=[
{
@ -46,7 +46,7 @@ shelve_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'unshelve_to_host',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Unshelve (restore) shelve offloaded server to a "
"specific host",
operations=[
@ -58,7 +58,7 @@ shelve_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'shelve_offload',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="Shelf-offload (remove) server",
operations=[
{

4
nova/policies/simple_tenant_usage.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s'
simple_tenant_usage_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show usage statistics for a specific tenant",
operations=[
{
@ -35,7 +35,7 @@ simple_tenant_usage_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'list',
check_str=base.PROJECT_ADMIN,
check_str=base.ADMIN,
description="List per tenant usage statistics for all tenants",
operations=[
{

4
nova/policies/suspend_server.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-suspend-server:%s'
suspend_server_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'resume',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Resume suspended server",
operations=[
{
@ -35,7 +35,7 @@ suspend_server_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'suspend',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Suspend server",
operations=[
{

20
nova/policies/volumes.py
View File

@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
volumes_policies = [
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""List volumes.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -52,7 +52,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Create volume.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -66,7 +66,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'detail',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""List volumes detail.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -80,7 +80,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""Show volume.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -94,7 +94,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Delete volume.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -108,7 +108,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'snapshots:list',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""List snapshots.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -122,7 +122,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'snapshots:create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Create snapshots.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -136,7 +136,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'snapshots:detail',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""List snapshots details.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -150,7 +150,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'snapshots:show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="""Show snapshot.
This API is a proxy call to the Volume service. It is deprecated.""",
@ -164,7 +164,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
deprecated_rule=DEPRECATED_POLICY),
policy.DocumentedRuleDefault(
name=POLICY_NAME % 'snapshots:delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Delete snapshot.
This API is a proxy call to the Volume service. It is deprecated.""",

12
nova/policies/volumes_attachments.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s'
volumes_attachments_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List volume attachments for an instance",
operations=[
{'method': 'GET',
@ -34,7 +34,7 @@ volumes_attachments_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Attach a volume to an instance",
operations=[
{
@ -45,7 +45,7 @@ volumes_attachments_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show details of a volume attachment",
operations=[
{
@ -57,7 +57,7 @@ volumes_attachments_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="""Update a volume attachment.
New 'update' policy about 'swap + update' request (which is possible
only >2.85) only <swap policy> is checked. We expect <swap policy> to be
@ -78,7 +78,7 @@ always superset of this policy permission.
# can call it with user having 'service' role (not having server's
# project_id). That is for phase-2 of RBAC goal and until then,
# we keep it open for all admin in any project. We cannot default it to
# PROJECT_ADMIN which has the project_id in check_str and will fail
# ADMIN which has the project_id in check_str and will fail
# if cinder call it with other project_id.
check_str=base.ADMIN,
description="Update a volume attachment with a different volumeId",
@ -92,7 +92,7 @@ always superset of this policy permission.
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Detach a volume from an instance",
operations=[
{

4
nova/tests/unit/cmd/test_policy.py
View File

@ -129,7 +129,7 @@ class TestPolicyCheck(test.NoDBTestCase):
def test_filter_rules_non_admin(self):
context = nova_context.RequestContext()
rule_conditions = [base_policies.PROJECT_READER]
rule_conditions = [base_policies.PROJECT_READER_OR_ADMIN]
expected_rules = [r.name for r in ia_policies.list_rules() if
r.check_str in rule_conditions]
self._check_filter_rules(context, expected_rules=expected_rules)
@ -156,7 +156,7 @@ class TestPolicyCheck(test.NoDBTestCase):
db_context = nova_context.RequestContext(user_id='fake-user',
project_id='fake-project')
instance = fake_instance.fake_instance_obj(db_context)
rule_conditions = [base_policies.PROJECT_READER]
rule_conditions = [base_policies.PROJECT_READER_OR_ADMIN]
expected_rules = [r.name for r in ia_policies.list_rules() if
r.check_str in rule_conditions]
self._check_filter_rules(db_context, instance, expected_rules)

42
nova/tests/unit/policies/base.py
View File

@ -134,6 +134,44 @@ class BasePolicyTest(test.TestCase):
self.system_admin_context, self.system_foo_context,
self.system_member_context, self.system_reader_context,
])
# A few commmon set of contexts to be used in tests
#
# With scope disable and no legacy rule, any admin,
# project members have access. No other role in that project
# will have access.
self.project_member_or_admin_with_no_scope_no_legacy = set([
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
])
# With scope enable and legacy rule, only project scoped admin
# and any role in that project will have access.
self.project_m_r_or_admin_with_scope_and_legacy = set([
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context
])
# With scope enable and no legacy rule, only project scoped admin
# and project members have access. No other role in that project
# or system scoped token will have access.
self.project_member_or_admin_with_scope_no_legacy = set([
self.legacy_admin_context, self.project_admin_context,
self.project_member_context
])
# With scope disable and no legacy rule, any admin,
# project members, and project reader have access. No other
# role in that project will have access.
self.project_reader_or_admin_with_no_scope_no_legacy = set([
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context
])
# With scope enable and no legacy rule, only project scoped admin,
# project members, and project reader have access. No other role
# in that project or system scoped token will have access.
self.project_reader_or_admin_with_scope_no_legacy = set([
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context
])
if self.without_deprecated_rules:
# To simulate the new world, remove deprecations by overriding
@ -149,6 +187,10 @@ class BasePolicyTest(test.TestCase):
"role:member and project_id:%(project_id)s",
"project_reader_api":
"role:reader and project_id:%(project_id)s",
"project_member_or_admin":
"rule:project_member_api or rule:context_is_admin",
"project_reader_or_admin":
"rule:project_reader_api or rule:context_is_admin",
})
self.policy.set_rules(self.rules_without_deprecation,
overwrite=False)

13
nova/tests/unit/policies/test_admin_actions.py
View File

@ -78,12 +78,6 @@ class AdminActionsNoLegacyNoScopePolicyTest(AdminActionsPolicyTest):
without_deprecated_rules = True
def setUp(self):
super(AdminActionsNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule and scope disable, only project admin
# is able to perform server admin actions.
self.project_action_authorized_contexts = [self.project_admin_context]
class AdminActionsScopeTypePolicyTest(AdminActionsPolicyTest):
"""Test Admin Actions APIs policies with system scope enabled.
@ -111,10 +105,3 @@ class AdminActionsScopeTypeNoLegacyPolicyTest(AdminActionsScopeTypePolicyTest):
only project admin is able to perform admin action on their server.
"""
without_deprecated_rules = True
def setUp(self):
super(AdminActionsScopeTypeNoLegacyPolicyTest, self).setUp()
# This is how our RBAC will looks like. With no legacy rule
# and scope enable, only project admin is able to perform
# server admin actions.
self.project_action_authorized_contexts = [self.project_admin_context]

14
nova/tests/unit/policies/test_admin_password.py
View File

@ -101,8 +101,8 @@ class AdminPasswordNoLegacyNoScopePolicyTest(AdminPasswordPolicyTest):
super(AdminPasswordNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to change the server password.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest):
@ -119,10 +119,8 @@ class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest):
super(AdminPasswordScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to change password.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class AdminPasswordScopeTypeNoLegacyTest(AdminPasswordScopeTypePolicyTest):
@ -139,5 +137,5 @@ class AdminPasswordScopeTypeNoLegacyTest(AdminPasswordScopeTypePolicyTest):
# With scope enable and no legacy rule only project admin/member
# will be able to change password for the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

42
nova/tests/unit/policies/test_attach_interfaces.py
View File

@ -117,22 +117,21 @@ class AttachInterfacesNoLegacyNoScopePolicyTest(AttachInterfacesPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
ai_policies.POLICY_ROOT % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ai_policies.POLICY_ROOT % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ai_policies.POLICY_ROOT % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
ai_policies.POLICY_ROOT % 'delete':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(AttachInterfacesNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, legacy admin loose power.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class AttachInterfacesScopeTypePolicyTest(AttachInterfacesPolicyTest):
@ -149,12 +148,10 @@ class AttachInterfacesScopeTypePolicyTest(AttachInterfacesPolicyTest):
super(AttachInterfacesScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# With Scope enable, system users no longer allowed.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)
self.project_m_r_or_admin_with_scope_and_legacy)
class AttachInterfacesDeprecatedPolicyTest(base.BasePolicyTest):
@ -217,20 +214,19 @@ class AttachInterfacesScopeTypeNoLegacyPolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
ai_policies.POLICY_ROOT % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ai_policies.POLICY_ROOT % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ai_policies.POLICY_ROOT % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
ai_policies.POLICY_ROOT % 'delete':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(AttachInterfacesScopeTypeNoLegacyPolicyTest, self).setUp()
# With no legacy and scope enable, only project admin, member,
# and reader will be able to allowed operation on server interface.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

14
nova/tests/unit/policies/test_console_output.py
View File

@ -73,8 +73,8 @@ class ConsoleOutputNoLegacyNoScopePolicyTest(ConsoleOutputPolicyTest):
super(ConsoleOutputNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member is able to
# get the server console.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
@ -92,10 +92,8 @@ class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
super(ConsoleOutputScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class ConsoleOutputScopeTypeNoLegacyPolicyTest(
@ -110,5 +108,5 @@ class ConsoleOutputScopeTypeNoLegacyPolicyTest(
# With scope enable and no legacy rule, only project admin/member can
# get the server console.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

14
nova/tests/unit/policies/test_create_backup.py
View File

@ -81,8 +81,8 @@ class CreateBackupNoLegacyNoScopePolicyTest(CreateBackupPolicyTest):
super(CreateBackupNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to create the server backup.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class CreateBackupScopeTypePolicyTest(CreateBackupPolicyTest):
@ -100,10 +100,8 @@ class CreateBackupScopeTypePolicyTest(CreateBackupPolicyTest):
super(CreateBackupScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system users to create the server.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class CreateBackupScopeTypeNoLegacyPolicyTest(CreateBackupScopeTypePolicyTest):
@ -116,5 +114,5 @@ class CreateBackupScopeTypeNoLegacyPolicyTest(CreateBackupScopeTypePolicyTest):
super(CreateBackupScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to create the server backup.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

22
nova/tests/unit/policies/test_deferred_delete.py
View File

@ -105,16 +105,16 @@ class DeferredDeleteNoLegacyNoScopePolicyTest(DeferredDeletePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
dd_policies.BASE_POLICY_NAME % 'restore':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
dd_policies.BASE_POLICY_NAME % 'force':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(DeferredDeleteNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member is able to force
# delete or restore server.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class DeferredDeleteScopeTypePolicyTest(DeferredDeletePolicyTest):
@ -132,10 +132,8 @@ class DeferredDeleteScopeTypePolicyTest(DeferredDeletePolicyTest):
super(DeferredDeleteScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class DeferredDeleteScopeTypeNoLegacyPolicyTest(
@ -146,14 +144,14 @@ class DeferredDeleteScopeTypeNoLegacyPolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
dd_policies.BASE_POLICY_NAME % 'restore':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
dd_policies.BASE_POLICY_NAME % 'force':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(DeferredDeleteScopeTypeNoLegacyPolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# With scope enable and no legacy rule, only project admin/member is
# able to force delete or restore server.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

13
nova/tests/unit/policies/test_evacuate.py
View File

@ -114,12 +114,6 @@ class EvacuateNoLegacyNoScopePolicyTest(EvacuatePolicyTest):
without_deprecated_rules = True
def setUp(self):
super(EvacuateNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule and scope disable, only project admin
# will be able to evacuate server.
self.project_action_authorized_contexts = [self.project_admin_context]
class EvacuateScopeTypePolicyTest(EvacuatePolicyTest):
"""Test Evacuate APIs policies with system scope enabled.
@ -146,10 +140,3 @@ class EvacuateScopeTypeNoLegacyPolicyTest(EvacuateScopeTypePolicyTest):
and no more deprecated rules which means scope + new defaults.
"""
without_deprecated_rules = True
def setUp(self):
super(EvacuateScopeTypeNoLegacyPolicyTest, self).setUp()
# This is how our RBAC will looks like. With no legacy rule
# and scope enable, only project admin is able to evacuate
# server.
self.project_action_authorized_contexts = [self.project_admin_context]

38
nova/tests/unit/policies/test_floating_ips.py
View File

@ -152,24 +152,24 @@ class FloatingIPNoLegacyNoScopePolicyTest(FloatingIPPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
fip_policies.BASE_POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'add':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'remove':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(FloatingIPNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to add/remove FIP to server.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
# With no legacy, project other roles like foo will not be able
# to operate on FIP.
self.member_authorized_contexts = [
@ -203,10 +203,8 @@ class FloatingIPScopeTypePolicyTest(FloatingIPPolicyTest):
super(FloatingIPScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system users.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
@ -228,24 +226,24 @@ class FloatingIPScopeTypeNoLegacyPolicyTest(FloatingIPScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
fip_policies.BASE_POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'add':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
fip_policies.BASE_POLICY_NAME % 'remove':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(FloatingIPScopeTypeNoLegacyPolicyTest, self).setUp()
# Check that system admin or owner is able to
# add/delete FIP to server.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
# With no legacy and scope enabled, system users and project
# other roles like foo will not be able to operate FIP.
self.member_authorized_contexts = [

35
nova/tests/unit/policies/test_instance_actions.py
View File

@ -140,20 +140,17 @@ class InstanceActionsNoLegacyNoScopePolicyTest(InstanceActionsPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
ia_policies.BASE_POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ia_policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ia_policies.BASE_POLICY_NAME % 'events':
base_policy.PROJECT_ADMIN,
base_policy.ADMIN,
}
def setUp(self):
super(InstanceActionsNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, legacy admin loose power.
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class InstanceActionsDeprecatedPolicyTest(base.BasePolicyTest):
@ -231,10 +228,8 @@ class InstanceActionsScopeTypePolicyTest(InstanceActionsPolicyTest):
# With Scope enable, system users no longer allowed.
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
self.project_reader_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
@mock.patch('nova.objects.InstanceActionEventList.get_by_action')
@mock.patch('nova.objects.InstanceAction.get_by_request_id')
@ -280,27 +275,25 @@ class InstanceActionsScopeTypePolicyTest(InstanceActionsPolicyTest):
self.assertNotIn('details', event)
class InstanceActionsScopeTypeNoLegacyPolicyTest(InstanceActionsPolicyTest):
class InstanceActionsScopeTypeNoLegacyPolicyTest(
InstanceActionsScopeTypePolicyTest):
"""Test os-instance-actions APIs policies with system scope enabled,
and no more deprecated rules.
"""
without_deprecated_rules = True
rules_without_deprecation = {
ia_policies.BASE_POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ia_policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
ia_policies.BASE_POLICY_NAME % 'events':
base_policy.PROJECT_ADMIN,
base_policy.ADMIN,
}
def setUp(self):
super(InstanceActionsScopeTypeNoLegacyPolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# With no legacy and scope enable, only project admin, member,
# and reader will be able to get server action and only admin
# with event details.
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

4
nova/tests/unit/policies/test_limits.py
View File

@ -95,7 +95,7 @@ class LimitsNoLegacyNoScopeTest(LimitsPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME:
base_policy.PROJECT_ADMIN}
base_policy.ADMIN}
def setUp(self):
super(LimitsNoLegacyNoScopeTest, self).setUp()
@ -141,7 +141,7 @@ class LimitsScopeTypeNoLegacyPolicyTest(LimitsScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME:
base_policy.PROJECT_ADMIN}
base_policy.ADMIN}
def setUp(self):
super(LimitsScopeTypeNoLegacyPolicyTest, self).setUp()

19
nova/tests/unit/policies/test_lock_server.py
View File

@ -139,11 +139,9 @@ class LockServerNoLegacyNoScopePolicyTest(LockServerPolicyTest):
def setUp(self):
super(LockServerNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to lock/unlock the server and only project admin can
# override the unlock.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_authorized_contexts = [self.project_admin_context]
# able to lock/unlock the server.
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class LockServerScopeTypePolicyTest(LockServerPolicyTest):
@ -160,10 +158,8 @@ class LockServerScopeTypePolicyTest(LockServerPolicyTest):
super(LockServerScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to lock/unlock the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
@ -178,9 +174,8 @@ class LockServerScopeTypeNoLegacyPolicyTest(LockServerScopeTypePolicyTest):
super(LockServerScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to lock/unlock the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):

11
nova/tests/unit/policies/test_migrate_server.py
View File

@ -83,11 +83,6 @@ class MigrateServerNoLegacyNoScopeTest(MigrateServerPolicyTest):
without_deprecated_rules = True
def setUp(self):
super(MigrateServerNoLegacyNoScopeTest, self).setUp()
self.project_admin_authorized_contexts = [
self.project_admin_context]
class MigrateServerScopeTypePolicyTest(MigrateServerPolicyTest):
"""Test Migrate Server APIs policies with system scope enabled.
@ -115,12 +110,6 @@ class MigrateServerScopeTypeNoLegacyPolicyTest(
"""
without_deprecated_rules = True
def setUp(self):
super(MigrateServerScopeTypeNoLegacyPolicyTest, self).setUp()
# with no legacy rule and scope enable., only project admin is able to
# migrate the server.
self.project_admin_authorized_contexts = [self.project_admin_context]
class MigrateServerOverridePolicyTest(
MigrateServerScopeTypeNoLegacyPolicyTest):

22
nova/tests/unit/policies/test_multinic.py
View File

@ -83,16 +83,16 @@ class MultinicNoLegacyNoScopePolicyTest(MultinicPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'add':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.BASE_POLICY_NAME % 'remove':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(MultinicNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to add/remove the fixed ip.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class MultinicScopeTypePolicyTest(MultinicPolicyTest):
@ -111,10 +111,8 @@ class MultinicScopeTypePolicyTest(MultinicPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to add/remove
# the fixed ip.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class MultinicScopeTypeNoLegacyPolicyTest(MultinicScopeTypePolicyTest):
@ -124,13 +122,13 @@ class MultinicScopeTypeNoLegacyPolicyTest(MultinicScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'add':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.BASE_POLICY_NAME % 'remove':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(MultinicScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to add/remove the fixed ip.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

8
nova/tests/unit/policies/test_networks.py
View File

@ -73,9 +73,9 @@ class NetworksNoLegacyNoScopePolicyTest(NetworksPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_ROOT % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_ROOT % 'show':
base_policy.PROJECT_READER}
base_policy.PROJECT_READER_OR_ADMIN}
def setUp(self):
super(NetworksNoLegacyNoScopePolicyTest, self).setUp()
@ -120,9 +120,9 @@ class NetworksScopeTypeNoLegacyPolicyTest(NetworksScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_ROOT % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_ROOT % 'show':
base_policy.PROJECT_READER}
base_policy.PROJECT_READER_OR_ADMIN}
def setUp(self):
super(NetworksScopeTypeNoLegacyPolicyTest, self).setUp()

14
nova/tests/unit/policies/test_pause_server.py
View File

@ -109,8 +109,8 @@ class PauseServerNoLegacyNoScopePolicyTest(PauseServerPolicyTest):
super(PauseServerNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to pause/unpause the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class PauseServerScopeTypePolicyTest(PauseServerPolicyTest):
@ -127,10 +127,8 @@ class PauseServerScopeTypePolicyTest(PauseServerPolicyTest):
super(PauseServerScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to pause/unpause the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class PauseServerScopeTypeNoLegacyPolicyTest(PauseServerScopeTypePolicyTest):
@ -143,5 +141,5 @@ class PauseServerScopeTypeNoLegacyPolicyTest(PauseServerScopeTypePolicyTest):
super(PauseServerScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to pause/unpause the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

14
nova/tests/unit/policies/test_remote_consoles.py
View File

@ -79,8 +79,8 @@ class RemoteConsolesNoLegacyNoScopePolicyTest(RemoteConsolesPolicyTest):
super(RemoteConsolesNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able get server remote consoles.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
@ -98,10 +98,8 @@ class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to get server
# remote console.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class RemoteConsolesScopeTypeNoLegacyPolicyTest(
@ -116,5 +114,5 @@ class RemoteConsolesScopeTypeNoLegacyPolicyTest(
super(RemoteConsolesScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to get server remote console.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

22
nova/tests/unit/policies/test_rescue.py
View File

@ -108,16 +108,16 @@ class RescueServerNoLegacyNoScopePolicyTest(RescueServerPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
rs_policies.UNRESCUE_POLICY_NAME:
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
rs_policies.BASE_POLICY_NAME:
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(RescueServerNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to rescue/unrescue the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class RescueServerScopeTypePolicyTest(RescueServerPolicyTest):
@ -135,10 +135,8 @@ class RescueServerScopeTypePolicyTest(RescueServerPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to rescue/unrescue the
# server.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class RescueServerScopeTypeNoLegacyPolicyTest(RescueServerScopeTypePolicyTest):
@ -149,13 +147,13 @@ class RescueServerScopeTypeNoLegacyPolicyTest(RescueServerScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
rs_policies.UNRESCUE_POLICY_NAME:
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
rs_policies.BASE_POLICY_NAME:
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(RescueServerScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to rescue/unrescue the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

73
nova/tests/unit/policies/test_security_groups.py
View File

@ -104,22 +104,20 @@ class ServerSecurityGroupsNoLegacyNoScopePolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'add':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'remove':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(ServerSecurityGroupsNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to add/remove SG to server and reader to get SG.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context,
]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class SecurityGroupsPolicyTest(base.BasePolicyTest):
@ -243,19 +241,19 @@ class SecurityGroupsNoLegacyNoScopePolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'get':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'update':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'rule:create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'rule:delete':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(SecurityGroupsNoLegacyNoScopePolicyTest, self).setUp()
@ -321,15 +319,10 @@ class ServerSecurityGroupsScopeTypePolicyTest(ServerSecurityGroupsPolicyTest):
super(ServerSecurityGroupsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system users.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context
]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class ServerSecurityGroupsScopeTypeNoLegacyPolicyTest(
@ -340,23 +333,21 @@ class ServerSecurityGroupsScopeTypeNoLegacyPolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'add':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'remove':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(ServerSecurityGroupsScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to add/remove the SG to their server and reader
# will get SG of server.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context
]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)
class SecurityGroupsNoLegacyPolicyTest(SecurityGroupsScopeTypePolicyTest):
@ -366,19 +357,19 @@ class SecurityGroupsNoLegacyPolicyTest(SecurityGroupsScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'get':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'update':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'rule:create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
policies.POLICY_NAME % 'rule:delete':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(SecurityGroupsNoLegacyPolicyTest, self).setUp()

11
nova/tests/unit/policies/test_server_diagnostics.py
View File

@ -66,11 +66,6 @@ class ServerDiagnosticsNoLegacyNoScopeTest(ServerDiagnosticsPolicyTest):
without_deprecated_rules = True
def setUp(self):
super(ServerDiagnosticsNoLegacyNoScopeTest, self).setUp()
self.project_admin_authorized_contexts = [
self.project_admin_context]
class ServerDiagnosticsScopeTypePolicyTest(ServerDiagnosticsPolicyTest):
"""Test Server Diagnostics APIs policies with system scope enabled.
@ -98,12 +93,6 @@ class ServerDiagnosticsScopeTypeNoLegacyPolicyTest(
"""
without_deprecated_rules = True
def setUp(self):
super(ServerDiagnosticsScopeTypeNoLegacyPolicyTest, self).setUp()
# with no legacy rule and scope enable., only project admin is able to
# get server diagnostics.
self.project_admin_authorized_contexts = [self.project_admin_context]
class ServerDiagnosticsOverridePolicyTest(
ServerDiagnosticsScopeTypeNoLegacyPolicyTest):

33
nova/tests/unit/policies/test_server_groups.py
View File

@ -163,12 +163,10 @@ class ServerGroupNoLegacyNoScopePolicyTest(ServerGroupPolicyTest):
super(ServerGroupNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy, only project admin, member will be able to delete
# the SG and also reader will be able to get the SG.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
# Even with no legacy rule, legacy admin is allowed to create SG
# use requesting context's project_id. Same for list SG.
@ -205,16 +203,10 @@ class ServerGroupScopeTypePolicyTest(ServerGroupPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
# With scope enable, it disallow system users.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_create_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
@ -244,17 +236,16 @@ class ServerGroupScopeTypeNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
def setUp(self):
super(ServerGroupScopeTypeNoLegacyPolicyTest, self).setUp()
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_create_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context,
self.other_project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]

21
nova/tests/unit/policies/test_server_ips.py
View File

@ -84,10 +84,8 @@ class ServerIpsNoLegacyNoScopePolicyTest(ServerIpsPolicyTest):
super(ServerIpsNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy, only project admin, member, and reader will be able
# to get their server IP addresses.
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context,
]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerIpsScopeTypePolicyTest(ServerIpsPolicyTest):
@ -105,11 +103,8 @@ class ServerIpsScopeTypePolicyTest(ServerIpsPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
# With scope enabled, system users will not be able
# to get the server IP addresses.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context
]
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class ServerIpsScopeTypeNoLegacyPolicyTest(ServerIpsScopeTypePolicyTest):
@ -120,9 +115,7 @@ class ServerIpsScopeTypeNoLegacyPolicyTest(ServerIpsScopeTypePolicyTest):
def setUp(self):
super(ServerIpsScopeTypeNoLegacyPolicyTest, self).setUp()
# With no legacy and scope enable, only project admin, member,
# With no legacy and scope enable, only admin, member,
# and reader will be able to get their server IP addresses.
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context
]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

26
nova/tests/unit/policies/test_server_metadata.py
View File

@ -119,11 +119,10 @@ class ServerMetadataNoLegacyNoScopePolicyTest(ServerMetadataPolicyTest):
def setUp(self):
super(ServerMetadataNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, legacy admin loose power.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
@ -140,12 +139,10 @@ class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
super(ServerMetadataScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# With Scope enable, system users no longer allowed.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)
self.project_m_r_or_admin_with_scope_and_legacy)
class ServerMetadataScopeTypeNoLegacyPolicyTest(
@ -160,8 +157,7 @@ class ServerMetadataScopeTypeNoLegacyPolicyTest(
super(ServerMetadataScopeTypeNoLegacyPolicyTest, self).setUp()
# With no legacy and scope enable, only project admin, member,
# and reader will be able to allowed operation on server metadata.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

11
nova/tests/unit/policies/test_server_migrations.py
View File

@ -93,11 +93,6 @@ class ServerMigrationsNoLegacyNoScopeTest(ServerMigrationsPolicyTest):
without_deprecated_rules = True
def setUp(self):
super(ServerMigrationsNoLegacyNoScopeTest, self).setUp()
self.project_admin_authorized_contexts = [
self.project_admin_context]
class ServerMigrationsScopeTypePolicyTest(ServerMigrationsPolicyTest):
"""Test Server Migrations APIs policies with system scope enabled.
@ -124,12 +119,6 @@ class ServerMigrationsScopeTypeNoLegacyPolicyTest(
"""
without_deprecated_rules = True
def setUp(self):
super(ServerMigrationsScopeTypeNoLegacyPolicyTest, self).setUp()
# Check that admin is able to perform operations
# for server migrations.
self.project_admin_authorized_contexts = [self.project_admin_context]
class ServerMigrationsOverridePolicyTest(
ServerMigrationsScopeTypeNoLegacyPolicyTest):

34
nova/tests/unit/policies/test_server_password.py
View File

@ -80,18 +80,17 @@ class ServerPasswordNoLegacyNoScopePolicyTest(ServerPasswordPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.BASE_POLICY_NAME % 'clear':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(ServerPasswordNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, legacy admin loose power.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
@ -108,12 +107,10 @@ class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
super(ServerPasswordScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# With Scope enable, system users no longer allowed.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)
self.project_m_r_or_admin_with_scope_and_legacy)
class ServerPasswordScopeTypeNoLegacyPolicyTest(
@ -124,16 +121,15 @@ class ServerPasswordScopeTypeNoLegacyPolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.BASE_POLICY_NAME % 'clear':
base_policy.PROJECT_MEMBER}
base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
super(ServerPasswordScopeTypeNoLegacyPolicyTest, self).setUp()
# With no legacy and scope enable, only project admin, member,
# and reader will be able to allowed operation on server password.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

26
nova/tests/unit/policies/test_server_tags.py
View File

@ -132,11 +132,10 @@ class ServerTagsNoLegacyNoScopePolicyTest(ServerTagsPolicyTest):
def setUp(self):
super(ServerTagsNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, legacy admin loose power.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerTagsScopeTypePolicyTest(ServerTagsPolicyTest):
@ -153,12 +152,10 @@ class ServerTagsScopeTypePolicyTest(ServerTagsPolicyTest):
super(ServerTagsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# With Scope enable, system users no longer allowed.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)
self.project_m_r_or_admin_with_scope_and_legacy)
class ServerTagsScopeTypeNoLegacyPolicyTest(ServerTagsScopeTypePolicyTest):
@ -172,8 +169,7 @@ class ServerTagsScopeTypeNoLegacyPolicyTest(ServerTagsScopeTypePolicyTest):
super(ServerTagsScopeTypeNoLegacyPolicyTest, self).setUp()
# With no legacy and scope enable, only project admin, member,
# and reader will be able to allowed operation on server tags.
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

22
nova/tests/unit/policies/test_server_topology.py
View File

@ -98,11 +98,8 @@ class ServerTopologyNoLegacyNoScopePolicyTest(ServerTopologyPolicyTest):
def setUp(self):
super(ServerTopologyNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, legacy admin loose power.
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
@ -121,10 +118,8 @@ class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
# With Scope enable, system users no longer allowed.
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
self.project_reader_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class ServerTopologyScopeTypeNoLegacyPolicyTest(
@ -138,9 +133,6 @@ class ServerTopologyScopeTypeNoLegacyPolicyTest(
def setUp(self):
super(ServerTopologyScopeTypeNoLegacyPolicyTest, self).setUp()
# With no legacy and scope enable, only project admin, member,
# and reader will be able to get server topology and only admin
# with host info.
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
# and reader will be able to get server topology.
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

32
nova/tests/unit/policies/test_servers.py
View File

@ -1324,7 +1324,7 @@ class ServersNoLegacyNoScopeTest(ServersPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.SERVERS % 'show:flavor-extra-specs':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
}
def setUp(self):
@ -1332,23 +1332,14 @@ class ServersNoLegacyNoScopeTest(ServersPolicyTest):
# Disabling legacy rule support means that we no longer allow
# random roles on our project to take action on our
# resources. We also do not allow admin on other projects
# (i.e. legacy_admin), nor system (because it's admin on no
# project).
self.reduce_set('project_action_authorized', set([
self.project_admin_context, self.project_member_context,
]))
self.reduce_set('project_admin_authorized', set([
self.project_admin_context
]))
# resources. Legacy admin will have access.
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
# The only additional role that can read our resources is our
# own project_reader.
self.project_reader_authorized_contexts = (
self.project_action_authorized_contexts |
set([self.project_reader_context])
)
self.project_reader_or_admin_with_no_scope_no_legacy)
# Disabling legacy support means random roles lose power to
# see everything in their project.
@ -1438,7 +1429,7 @@ class ServersNoLegacyPolicyTest(ServersScopeTypePolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.SERVERS % 'show:flavor-extra-specs':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
}
def setUp(self):
@ -1448,15 +1439,8 @@ class ServersNoLegacyPolicyTest(ServersScopeTypePolicyTest):
# powerful on our project. Also, we drop the "any role on the
# project means you can do stuff" behavior, so project_reader
# and project_foo lose power.
self.reduce_set('project_action_authorized', set([
self.project_admin_context,
self.project_member_context,
]))
# With no legacy rule and scope checks enable, only project
# admin can do admin things on project resource.
self.reduce_set('project_admin_authorized',
set([self.project_admin_context]))
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
# Only project_reader has additional read access to our
# project resources.

16
nova/tests/unit/policies/test_shelve.py
View File

@ -122,9 +122,8 @@ class ShelveServerNoLegacyNoScopePolicyTest(ShelveServerPolicyTest):
# With no legacy rule, only project admin or member will be
# able to shelve/unshelve the server and only project admin can
# shelve offload the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
@ -142,10 +141,8 @@ class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to shelve/unshelve the
# server.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
@ -160,6 +157,5 @@ class ShelveServerScopeTypeNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
super(ShelveServerScopeTypeNoLegacyPolicyTest, self).setUp()
# With scope enable and no legacy rule, only project admin/member
# will be able to shelve/unshelve the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_authorized_contexts = [self.project_admin_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

19
nova/tests/unit/policies/test_simple_tenant_usage.py
View File

@ -70,10 +70,8 @@ class SimpleTenantUsageNoLegacyNoScopePolicyTest(SimpleTenantUsagePolicyTest):
super(SimpleTenantUsageNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy, project other roles like foo will not be able
# to get tenant usage.
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context,
]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class SimpleTenantUsageScopeTypePolicyTest(SimpleTenantUsagePolicyTest):
@ -92,11 +90,8 @@ class SimpleTenantUsageScopeTypePolicyTest(SimpleTenantUsagePolicyTest):
# With Scope enable, system users no longer allowed.
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class SimpleTenantUsageScopeTypeNoLegacyPolicyTest(
@ -109,7 +104,5 @@ class SimpleTenantUsageScopeTypeNoLegacyPolicyTest(
def setUp(self):
super(SimpleTenantUsageScopeTypeNoLegacyPolicyTest, self).setUp()
self.project_reader_authorized_contexts = [
self.project_admin_context,
self.project_member_context, self.project_reader_context,
]
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)

14
nova/tests/unit/policies/test_suspend_server.py
View File

@ -107,8 +107,8 @@ class SuspendServerNoLegacyNoScopePolicyTest(SuspendServerPolicyTest):
super(SuspendServerNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin or member will be
# able to suspend/resume the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
class SuspendServerScopeTypePolicyTest(SuspendServerPolicyTest):
@ -125,10 +125,8 @@ class SuspendServerScopeTypePolicyTest(SuspendServerPolicyTest):
super(SuspendServerScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Scope enable will not allow system admin to suspend/resume server.
self.project_action_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_action_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
class SuspendServerScopeTypeNoLegacyTest(SuspendServerScopeTypePolicyTest):
@ -143,5 +141,5 @@ class SuspendServerScopeTypeNoLegacyTest(SuspendServerScopeTypePolicyTest):
super(SuspendServerScopeTypeNoLegacyTest, self).setUp()
# With scope enable and no legacy rule only project admin/member
# will be able to suspend/resume the server.
self.project_action_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_action_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)

8
nova/tests/unit/policies/test_tenant_networks.py
View File

@ -72,9 +72,9 @@ class TenantNetworksNoLegacyNoScopePolicyTest(TenantNetworksPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'show':
base_policy.PROJECT_READER}
base_policy.PROJECT_READER_OR_ADMIN}
def setUp(self):
super(TenantNetworksNoLegacyNoScopePolicyTest, self).setUp()
@ -120,9 +120,9 @@ class TenantNetworksScopeTypeNoLegacyPolicyTest(
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
policies.POLICY_NAME % 'show':
base_policy.PROJECT_READER}
base_policy.PROJECT_READER_OR_ADMIN}
def setUp(self):
super(TenantNetworksScopeTypeNoLegacyPolicyTest, self).setUp()

74
nova/tests/unit/policies/test_volumes.py
View File

@ -215,14 +215,12 @@ class VolumeAttachNoLegacyNoScopePolicyTest(VolumeAttachPolicyTest):
def setUp(self):
super(VolumeAttachNoLegacyNoScopePolicyTest, self).setUp()
# With no legacy rule, only project admin, member, or reader will be
# With no legacy rule, only admin, member, or reader will be
# able to perform volume attachment operation on its own project.
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_no_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_no_scope_no_legacy)
class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
@ -242,15 +240,10 @@ class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
# Scope enable will not allow system admin to perform the
# volume attachments.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_reader_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_member_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_reader_authorized_contexts = (
self.project_m_r_or_admin_with_scope_and_legacy)
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
@ -268,11 +261,10 @@ class VolumeAttachScopeTypeNoLegacyPolicyTest(VolumeAttachScopeTypePolicyTest):
# With scope enable and no legacy rule, it will not allow
# system users and project admin/member/reader will be able to
# perform volume attachment operation on its own project.
self.project_reader_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_member_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_member_authorized_contexts = (
self.project_member_or_admin_with_scope_no_legacy)
self.project_reader_authorized_contexts = (
self.project_reader_or_admin_with_scope_no_legacy)
class VolumesPolicyTest(base.BasePolicyTest):
@ -403,25 +395,25 @@ class VolumesNoLegacyNoScopePolicyTest(VolumesPolicyTest):
without_deprecated_rules = True
rules_without_deprecation = {
v_policies.POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'detail':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:detail':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
}
def setUp(self):
@ -482,25 +474,25 @@ class VolumesScopeTypeNoLegacyPolicyTest(VolumesScopeTypePolicyTest):
rules_without_deprecation = {
v_policies.POLICY_NAME % 'list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'detail':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:list':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:detail':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:delete':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:create':
base_policy.PROJECT_MEMBER,
base_policy.PROJECT_MEMBER_OR_ADMIN,
v_policies.POLICY_NAME % 'snapshots:show':
base_policy.PROJECT_READER,
base_policy.PROJECT_READER_OR_ADMIN,
}
def setUp(self):

3
nova/tests/unit/test_policy.py
View File

@ -554,7 +554,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
special_rules = ('admin_api', 'admin_or_owner', 'context_is_admin',
'os_compute_api:os-quota-class-sets:show',
'project_admin_api', 'project_member_api',
'project_reader_api', 'project_reader_or_admin')
'project_reader_api', 'project_member_or_admin',
'project_reader_or_admin')
result = set(rules.keys()) - set(self.admin_only_rules +
self.admin_or_owner_rules +
self.allow_all_rules +