Keep legacy admin behaviour in new RBAC
While discussing the new RBAC (scope_type and project admin vs system admin things) with operators in berlin ops meetup and via emails, and policy popup meetings, we got the feedback that we need to keep the legacy admin behaviour same as it is otherwise it is going to be a big breaking change for many of the operators. Same feedback for scope_type. - https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC - https://etherpad.opendev.org/p/rbac-operator-feedback By considering the feedback, we decided to postpone the system scope implementation, release project reader role and not to change the legacy admin behaviour. To keep the legacy admin behaviour unchanged, we need to modify our policy new default so that legacy admin continue to have the access to the APIs they are able to access in old RBAC. Basically the below changes: - PROJECT_ADMIN -> ADMIN (legacy admin who can do things in all projects) - PROJECT_MEMBER -> PROJECT_MEMBER_OR_ADMIN (give access to legacy admin too) - PROJECT_READER -> PROJECT_READER_OR_ADMIN (give access to legacy admin too) Complete direction on RBAC is updated in community wide goal - https://review.opendev.org/c/openstack/governance/+/847418/13 Change-Id: I37e706f75a36fb27da1bdd5fba671cb1bcadc745
This commit is contained in:
parent
066e1e69d1
commit
909b0b0247
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-admin-actions:%s'
|
|||
admin_actions_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'reset_state',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Reset the state of a given server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ admin_actions_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'inject_network_info',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Inject network information into the server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-admin-password'
|
|||
admin_password_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Change the administrative password for a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -29,7 +29,7 @@ assisted_volume_snapshots_policies = [
|
|||
# can call it with user having 'service' role (not having
|
||||
# correct project_id). That is for phase-2 of RBAC goal and until
|
||||
# then, we keep it open for all admin in any project. We cannot
|
||||
# default it to PROJECT_ADMIN which has the project_id in
|
||||
# default it to ADMIN which has the project_id in
|
||||
# check_str and will fail if cinder call it with other project_id.
|
||||
check_str=base.ADMIN,
|
||||
description="Create an assisted volume snapshot",
|
||||
|
@ -47,7 +47,7 @@ assisted_volume_snapshots_policies = [
|
|||
# can call it with user having 'service' role (not having
|
||||
# correct project_id). That is for phase-2 of RBAC goal and until
|
||||
# then, we keep it open for all admin in any project. We cannot
|
||||
# default it to PROJECT_ADMIN which has the project_id in
|
||||
# default it to ADMIN which has the project_id in
|
||||
# check_str and will fail if cinder call it with other project_id.
|
||||
check_str=base.ADMIN,
|
||||
description="Delete an assisted volume snapshot",
|
||||
|
|
|
@ -37,7 +37,7 @@ DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule(
|
|||
attach_interfaces_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List port interfaces attached to a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -49,7 +49,7 @@ attach_interfaces_policies = [
|
|||
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show details of a port interface attached to a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -61,7 +61,7 @@ attach_interfaces_policies = [
|
|||
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Attach an interface to a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -73,7 +73,7 @@ attach_interfaces_policies = [
|
|||
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Detach an interface from a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -36,28 +36,26 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
|
|||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since='21.0.0'
|
||||
)
|
||||
PROJECT_ADMIN = 'rule:project_admin_api'
|
||||
|
||||
ADMIN = 'rule:context_is_admin'
|
||||
PROJECT_MEMBER = 'rule:project_member_api'
|
||||
PROJECT_READER = 'rule:project_reader_api'
|
||||
PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
|
||||
PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
|
||||
ADMIN = 'rule:context_is_admin'
|
||||
|
||||
# NOTE(gmann): Below is the mapping of new roles and scope_types
|
||||
# with legacy roles::
|
||||
# NOTE(gmann): Below is the mapping of new roles with legacy roles::
|
||||
|
||||
# Legacy Rule | New Rules |Operation |scope_type|
|
||||
# -------------------+---------------------+----------------+-----------
|
||||
# |-> ADMIN |Global resource | [system]
|
||||
# RULE_ADMIN_API | |Write & Read |
|
||||
# |-> PROJECT_ADMIN |Project resource| [project]
|
||||
# | |Write |
|
||||
# ----------------------------------------------------------------------
|
||||
# |-> PROJECT_ADMIN |Project resource| [project]
|
||||
# | |Write |
|
||||
# |-> PROJECT_MEMBER |Project resource| [project]
|
||||
# RULE_ADMIN_OR_OWNER| |Write |
|
||||
# |-> PROJECT_READER |Project resource| [project]
|
||||
# | |Read |
|
||||
# Legacy Rule | New Rules |Operation |scope_type|
|
||||
# -------------------+---------------------------+----------------+-----------
|
||||
# RULE_ADMIN_API |-> ADMIN |Global resource | [project]
|
||||
# | |Write & Read |
|
||||
# -------------------+---------------------------+----------------+-----------
|
||||
# |-> ADMIN |Project admin | [project]
|
||||
# | |level operation |
|
||||
# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project]
|
||||
# | |Write |
|
||||
# |-> PROJECT_READER_OR_ADMIN |Project resource| [project]
|
||||
# | |Read |
|
||||
|
||||
# NOTE(johngarbutt) The base rules here affect so many APIs the list
|
||||
# of related API operations has not been populated. It would be
|
||||
|
@ -91,11 +89,6 @@ rules = [
|
|||
deprecated_for_removal=True,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since='21.0.0'),
|
||||
policy.RuleDefault(
|
||||
"project_admin_api",
|
||||
"role:admin and project_id:%(project_id)s",
|
||||
"Default rule for Project level admin APIs.",
|
||||
deprecated_rule=DEPRECATED_ADMIN_POLICY),
|
||||
policy.RuleDefault(
|
||||
"project_member_api",
|
||||
"role:member and project_id:%(project_id)s",
|
||||
|
@ -106,10 +99,15 @@ rules = [
|
|||
"role:reader and project_id:%(project_id)s",
|
||||
"Default rule for Project level read only APIs.",
|
||||
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
|
||||
policy.RuleDefault(
|
||||
"project_member_or_admin",
|
||||
"rule:project_member_api or rule:context_is_admin",
|
||||
"Default rule for Project Member or admin APIs.",
|
||||
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
|
||||
policy.RuleDefault(
|
||||
"project_reader_or_admin",
|
||||
"rule:project_reader_api or rule:context_is_admin",
|
||||
"Default rule for Project reader and admin APIs.",
|
||||
"Default rule for Project reader or admin APIs.",
|
||||
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
|
||||
]
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
|
|||
console_auth_tokens_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Show console connection information for a given console "
|
||||
"authentication token",
|
||||
operations=[
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output'
|
|||
console_output_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description='Show console output for a server',
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
|
|||
create_backup_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description='Create a back up of a server',
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -36,7 +36,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
deferred_delete_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'restore',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Restore a soft deleted server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -48,7 +48,7 @@ deferred_delete_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'force',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Force delete a server before deferred cleanup",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-evacuate'
|
|||
evacuate_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Evacuate a server from a failed host to a new host",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
|
|||
extended_server_attributes_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""Return extended attributes for server.
|
||||
|
||||
This rule will control the visibility for a set of servers attributes:
|
||||
|
|
|
@ -38,7 +38,7 @@ DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
|
|||
floating_ips_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'add',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Associate floating IPs to server. "
|
||||
" This API is deprecated.",
|
||||
operations=[
|
||||
|
@ -51,7 +51,7 @@ floating_ips_policies = [
|
|||
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'remove',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Disassociate floating IPs to server. "
|
||||
" This API is deprecated.",
|
||||
operations=[
|
||||
|
@ -64,7 +64,7 @@ floating_ips_policies = [
|
|||
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List floating IPs. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -76,7 +76,7 @@ floating_ips_policies = [
|
|||
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create floating IPs. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -88,7 +88,7 @@ floating_ips_policies = [
|
|||
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show floating IPs. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -100,7 +100,7 @@ floating_ips_policies = [
|
|||
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete floating IPs. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -38,7 +38,7 @@ DEPRECATED_INSTANCE_ACTION_POLICY = policy.DeprecatedRule(
|
|||
instance_actions_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'events:details',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""Add "details" key in action events for a server.
|
||||
|
||||
This check is performed only after the check
|
||||
|
@ -59,7 +59,7 @@ but in the other hand it might leak information about the deployment
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'events',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""Add events details in action details for a server.
|
||||
This check is performed only after the check
|
||||
os_compute_api:os-instance-actions:show passes. Beginning with Microversion
|
||||
|
@ -76,7 +76,7 @@ passes, the name of the host.""",
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""List actions for a server.""",
|
||||
operations=[
|
||||
{
|
||||
|
@ -88,7 +88,7 @@ passes, the name of the host.""",
|
|||
deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""Show action details for a server.""",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:ips:%s'
|
|||
ips_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show IP addresses details for a network label of a "
|
||||
" server",
|
||||
operations=[
|
||||
|
@ -36,7 +36,7 @@ ips_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List IP addresses that are assigned to a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -49,7 +49,7 @@ limits_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=OTHER_PROJECT_LIMIT_POLICY_NAME,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""Show rate and absolute limits of other project.
|
||||
|
||||
This policy only checks if the user has access to the requested
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
|
|||
lock_server_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'lock',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Lock a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -36,7 +36,7 @@ lock_server_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'unlock',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Unlock a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -48,7 +48,7 @@ lock_server_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'unlock:unlock_override',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""Unlock a server, regardless who locked the server.
|
||||
|
||||
This check is performed only after the check
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s'
|
|||
migrate_server_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'migrate',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Cold migrate a server to a host",
|
||||
operations=[
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ migrate_server_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'migrate_live',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Live migrate a server to a new host without a reboot",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s'
|
|||
migrations_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="List migrations",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
multinic_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'add',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Add a fixed IP address to a server.
|
||||
|
||||
This API is proxy calls to the Network service. This is
|
||||
|
@ -53,7 +53,7 @@ deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'remove',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Remove a fixed IP address from a server.
|
||||
|
||||
This API is proxy calls to the Network service. This is
|
||||
|
|
|
@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
networks_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""List networks for the project.
|
||||
|
||||
This API is proxy calls to the Network service. This is deprecated.""",
|
||||
|
@ -52,7 +52,7 @@ This API is proxy calls to the Network service. This is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""Show network details.
|
||||
|
||||
This API is proxy calls to the Network service. This is deprecated.""",
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
|
|||
pause_server_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'pause',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Pause a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -36,7 +36,7 @@ pause_server_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'unpause',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Unpause a paused server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s'
|
|||
quota_sets_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'update',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Update the quotas",
|
||||
operations=[
|
||||
{
|
||||
|
@ -46,13 +46,7 @@ quota_sets_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
# TODO(gmann): Until we have domain admin or so to get other project's
|
||||
# data, allow admin role(with scope check it will be project admin) to
|
||||
# get other project quota. We cannot use PROJECT_ADMIN here as
|
||||
# project_id passed in request url is used as policy targets which
|
||||
# would not match with context's project_id fetched for rule
|
||||
# PROJECT_ADMIN check.
|
||||
check_str='(' + base.PROJECT_READER + ') or role:admin',
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show a quota",
|
||||
operations=[
|
||||
{
|
||||
|
@ -63,7 +57,7 @@ quota_sets_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Revert quotas to defaults",
|
||||
operations=[
|
||||
{
|
||||
|
@ -77,7 +71,7 @@ quota_sets_policies = [
|
|||
# TODO(gmann): Until we have domain admin or so to get other project's
|
||||
# data, allow admin role(with scope check it will be project admin) to
|
||||
# get other project quota.
|
||||
check_str='(' + base.PROJECT_READER + ') or role:admin',
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show the detail of quota",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles'
|
|||
remote_consoles_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Generate a URL to access remove server console.
|
||||
|
||||
This policy is for ``POST /remote-consoles`` API and below Server actions APIs
|
||||
|
|
|
@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
rescue_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Rescue a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -48,7 +48,7 @@ rescue_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=UNRESCUE_POLICY_NAME,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Unrescue a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
security_groups_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'get',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List security groups. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -50,7 +50,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show security group. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -62,7 +62,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create security group. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -74,7 +74,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'update',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Update security group. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -86,7 +86,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete security group. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -98,7 +98,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'rule:create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create security group Rule. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -110,7 +110,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'rule:delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete security group Rule. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -122,7 +122,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List security groups of server.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -134,7 +134,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'add',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Add security groups to server.",
|
||||
operations=[
|
||||
{
|
||||
|
@ -146,7 +146,7 @@ security_groups_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'remove',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Remove security groups from server.",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics'
|
|||
server_diagnostics_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Show the usage data for a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -30,7 +30,7 @@ server_external_events_policies = [
|
|||
# neutron can call it with user having 'service' role (not having
|
||||
# server's project_id). That is for phase-2 of RBAC goal and until
|
||||
# then, we keep it open for all admin in any project. We cannot
|
||||
# default it to PROJECT_ADMIN which has the project_id in
|
||||
# default it to ADMIN which has the project_id in
|
||||
# check_str and will fail if neutron call it with other project_id.
|
||||
check_str=base.ADMIN,
|
||||
description="Create one or more external events",
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-groups:%s'
|
|||
server_groups_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create a new server group",
|
||||
operations=[
|
||||
{
|
||||
|
@ -36,7 +36,7 @@ server_groups_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete a server group",
|
||||
operations=[
|
||||
{
|
||||
|
@ -48,7 +48,7 @@ server_groups_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List all server groups",
|
||||
operations=[
|
||||
{
|
||||
|
@ -60,7 +60,7 @@ server_groups_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index:all_projects',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="List all server groups for all projects",
|
||||
operations=[
|
||||
{
|
||||
|
@ -72,7 +72,7 @@ server_groups_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show details of a server group",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s'
|
|||
server_metadata_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List all metadata of a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -36,7 +36,7 @@ server_metadata_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show metadata for a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -48,7 +48,7 @@ server_metadata_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create metadata for a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -60,7 +60,7 @@ server_metadata_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'update_all',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Replace metadata for a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -72,7 +72,7 @@ server_metadata_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'update',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Update metadata from a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -84,7 +84,7 @@ server_metadata_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete metadata from a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
server_password_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show the encrypted administrative "
|
||||
"password of a server",
|
||||
operations=[
|
||||
|
@ -50,7 +50,7 @@ server_password_policies = [
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'clear',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Clear the encrypted administrative "
|
||||
"password of a server",
|
||||
operations=[
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
|
|||
server_tags_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete_all',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete all the server tags",
|
||||
operations=[
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ server_tags_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List all tags for given server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -46,7 +46,7 @@ server_tags_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'update_all',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Replace all tags on specified server with the new set "
|
||||
"of tags.",
|
||||
operations=[
|
||||
|
@ -59,7 +59,7 @@ server_tags_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete a single tag from the specified server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -71,7 +71,7 @@ server_tags_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'update',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Add a single tag to the server if server has no "
|
||||
"specified tag",
|
||||
operations=[
|
||||
|
@ -84,7 +84,7 @@ server_tags_policies = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Check tag existence on the server.",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -21,7 +21,7 @@ BASE_POLICY_NAME = 'compute:server:topology:%s'
|
|||
server_topology_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show the NUMA topology data for a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -33,7 +33,7 @@ server_topology_policies = [
|
|||
policy.DocumentedRuleDefault(
|
||||
# Control host NUMA node and cpu pinning information
|
||||
name=BASE_POLICY_NAME % 'host:index',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Show the NUMA topology data for a server with host "
|
||||
"NUMA ID and CPU pinning information",
|
||||
operations=[
|
||||
|
|
|
@ -36,7 +36,7 @@ not for list extra specs and showing it in flavor API response.
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List all servers",
|
||||
operations=[
|
||||
{
|
||||
|
@ -47,7 +47,7 @@ rules = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'detail',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List all servers with detailed information",
|
||||
operations=[
|
||||
{
|
||||
|
@ -58,7 +58,7 @@ rules = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'index:get_all_tenants',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="List all servers for all projects",
|
||||
operations=[
|
||||
{
|
||||
|
@ -70,7 +70,7 @@ rules = [
|
|||
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'detail:get_all_tenants',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="List all servers with detailed information for "
|
||||
" all projects",
|
||||
operations=[
|
||||
|
@ -82,7 +82,7 @@ rules = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'allow_all_filters',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Allow all filters when listing servers",
|
||||
operations=[
|
||||
{
|
||||
|
@ -97,7 +97,7 @@ rules = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -108,7 +108,7 @@ rules = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'show:flavor-extra-specs',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Starting with microversion 2.47, the flavor and its "
|
||||
"extra specs used for a server is also returned in the response "
|
||||
"when showing server details, updating a server or rebuilding a "
|
||||
|
@ -140,7 +140,7 @@ rules = [
|
|||
# should do that by default.
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'show:host_status',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""
|
||||
Show a server with additional host status information.
|
||||
|
||||
|
@ -174,7 +174,7 @@ API responses which are also controlled by this policy rule, like the
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'show:host_status:unknown-only',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""
|
||||
Show a server with additional host status information, only if host status is
|
||||
UNKNOWN.
|
||||
|
@ -207,7 +207,7 @@ allow everyone.
|
|||
scope_types=['project'],),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -218,7 +218,7 @@ allow everyone.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create:forced_host',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""
|
||||
Create a server on the specified host and/or node.
|
||||
|
||||
|
@ -235,7 +235,7 @@ host and/or node by bypassing the scheduler filters unlike the
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=REQUESTED_DESTINATION,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""
|
||||
Create a server on the requested compute service host and/or
|
||||
hypervisor_hostname.
|
||||
|
@ -253,7 +253,7 @@ validated by the scheduler filters unlike the
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create:attach_volume',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create a server with the requested volume attached to it",
|
||||
operations=[
|
||||
{
|
||||
|
@ -264,7 +264,7 @@ validated by the scheduler filters unlike the
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create:attach_network',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create a server with the requested network attached "
|
||||
" to it",
|
||||
operations=[
|
||||
|
@ -276,7 +276,7 @@ validated by the scheduler filters unlike the
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create:trusted_certs',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create a server with trusted image certificate IDs",
|
||||
operations=[
|
||||
{
|
||||
|
@ -287,7 +287,7 @@ validated by the scheduler filters unlike the
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=ZERO_DISK_FLAVOR,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="""
|
||||
This rule controls the compute API validation behavior of creating a server
|
||||
with a flavor that has 0 disk, indicating the server should be volume-backed.
|
||||
|
@ -312,7 +312,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=NETWORK_ATTACH_EXTERNAL,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Attach an unshared external network to a server",
|
||||
operations=[
|
||||
# Create a server with a requested network or port.
|
||||
|
@ -329,7 +329,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Delete a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -340,7 +340,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'update',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Update a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -351,7 +351,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'confirm_resize',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Confirm a server resize",
|
||||
operations=[
|
||||
{
|
||||
|
@ -362,7 +362,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'revert_resize',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Revert a server resize",
|
||||
operations=[
|
||||
{
|
||||
|
@ -373,7 +373,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'reboot',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Reboot a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -384,7 +384,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'resize',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Resize a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -410,7 +410,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'rebuild',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Rebuild a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -421,7 +421,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'rebuild:trusted_certs',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Rebuild a server with trusted image certificate IDs",
|
||||
operations=[
|
||||
{
|
||||
|
@ -432,7 +432,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create_image',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create an image from a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -443,7 +443,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'create_image:allow_volume_backed',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Create an image from a volume backed server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -454,7 +454,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'start',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Start a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -465,7 +465,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'stop',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Stop a server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -476,7 +476,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=SERVERS % 'trigger_crash_dump',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Trigger crash dump in a server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:servers:migrations:%s'
|
|||
servers_migrations_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Show details for an in-progress live migration for a "
|
||||
"given server",
|
||||
operations=[
|
||||
|
@ -36,7 +36,7 @@ servers_migrations_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'force_complete',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Force an in-progress live migration for a given server "
|
||||
"to complete",
|
||||
operations=[
|
||||
|
@ -49,7 +49,7 @@ servers_migrations_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Delete(Abort) an in-progress live migration",
|
||||
operations=[
|
||||
{
|
||||
|
@ -60,7 +60,7 @@ servers_migrations_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Lists in-progress live migrations for a given server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s'
|
|||
shelve_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'shelve',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Shelve server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ shelve_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'unshelve',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Unshelve (restore) shelved server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -46,7 +46,7 @@ shelve_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'unshelve_to_host',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Unshelve (restore) shelve offloaded server to a "
|
||||
"specific host",
|
||||
operations=[
|
||||
|
@ -58,7 +58,7 @@ shelve_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'shelve_offload',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="Shelf-offload (remove) server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s'
|
|||
simple_tenant_usage_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show usage statistics for a specific tenant",
|
||||
operations=[
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ simple_tenant_usage_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'list',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
check_str=base.ADMIN,
|
||||
description="List per tenant usage statistics for all tenants",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-suspend-server:%s'
|
|||
suspend_server_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'resume',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Resume suspended server",
|
||||
operations=[
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ suspend_server_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'suspend',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Suspend server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule(
|
|||
volumes_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""List volumes.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -52,7 +52,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Create volume.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -66,7 +66,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'detail',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""List volumes detail.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -80,7 +80,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""Show volume.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -94,7 +94,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Delete volume.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -108,7 +108,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'snapshots:list',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""List snapshots.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -122,7 +122,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'snapshots:create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Create snapshots.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -136,7 +136,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'snapshots:detail',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""List snapshots details.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -150,7 +150,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'snapshots:show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="""Show snapshot.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
@ -164,7 +164,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
|||
deprecated_rule=DEPRECATED_POLICY),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_NAME % 'snapshots:delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Delete snapshot.
|
||||
|
||||
This API is a proxy call to the Volume service. It is deprecated.""",
|
||||
|
|
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s'
|
|||
volumes_attachments_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="List volume attachments for an instance",
|
||||
operations=[
|
||||
{'method': 'GET',
|
||||
|
@ -34,7 +34,7 @@ volumes_attachments_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'create',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Attach a volume to an instance",
|
||||
operations=[
|
||||
{
|
||||
|
@ -45,7 +45,7 @@ volumes_attachments_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.PROJECT_READER_OR_ADMIN,
|
||||
description="Show details of a volume attachment",
|
||||
operations=[
|
||||
{
|
||||
|
@ -57,7 +57,7 @@ volumes_attachments_policies = [
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'update',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="""Update a volume attachment.
|
||||
New 'update' policy about 'swap + update' request (which is possible
|
||||
only >2.85) only <swap policy> is checked. We expect <swap policy> to be
|
||||
|
@ -78,7 +78,7 @@ always superset of this policy permission.
|
|||
# can call it with user having 'service' role (not having server's
|
||||
# project_id). That is for phase-2 of RBAC goal and until then,
|
||||
# we keep it open for all admin in any project. We cannot default it to
|
||||
# PROJECT_ADMIN which has the project_id in check_str and will fail
|
||||
# ADMIN which has the project_id in check_str and will fail
|
||||
# if cinder call it with other project_id.
|
||||
check_str=base.ADMIN,
|
||||
description="Update a volume attachment with a different volumeId",
|
||||
|
@ -92,7 +92,7 @@ always superset of this policy permission.
|
|||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER_OR_ADMIN,
|
||||
description="Detach a volume from an instance",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -129,7 +129,7 @@ class TestPolicyCheck(test.NoDBTestCase):
|
|||
|
||||
def test_filter_rules_non_admin(self):
|
||||
context = nova_context.RequestContext()
|
||||
rule_conditions = [base_policies.PROJECT_READER]
|
||||
rule_conditions = [base_policies.PROJECT_READER_OR_ADMIN]
|
||||
expected_rules = [r.name for r in ia_policies.list_rules() if
|
||||
r.check_str in rule_conditions]
|
||||
self._check_filter_rules(context, expected_rules=expected_rules)
|
||||
|
@ -156,7 +156,7 @@ class TestPolicyCheck(test.NoDBTestCase):
|
|||
db_context = nova_context.RequestContext(user_id='fake-user',
|
||||
project_id='fake-project')
|
||||
instance = fake_instance.fake_instance_obj(db_context)
|
||||
rule_conditions = [base_policies.PROJECT_READER]
|
||||
rule_conditions = [base_policies.PROJECT_READER_OR_ADMIN]
|
||||
expected_rules = [r.name for r in ia_policies.list_rules() if
|
||||
r.check_str in rule_conditions]
|
||||
self._check_filter_rules(db_context, instance, expected_rules)
|
||||
|
|
|
@ -134,6 +134,44 @@ class BasePolicyTest(test.TestCase):
|
|||
self.system_admin_context, self.system_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
])
|
||||
# A few commmon set of contexts to be used in tests
|
||||
#
|
||||
# With scope disable and no legacy rule, any admin,
|
||||
# project members have access. No other role in that project
|
||||
# will have access.
|
||||
self.project_member_or_admin_with_no_scope_no_legacy = set([
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
])
|
||||
# With scope enable and legacy rule, only project scoped admin
|
||||
# and any role in that project will have access.
|
||||
self.project_m_r_or_admin_with_scope_and_legacy = set([
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
])
|
||||
# With scope enable and no legacy rule, only project scoped admin
|
||||
# and project members have access. No other role in that project
|
||||
# or system scoped token will have access.
|
||||
self.project_member_or_admin_with_scope_no_legacy = set([
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context
|
||||
])
|
||||
# With scope disable and no legacy rule, any admin,
|
||||
# project members, and project reader have access. No other
|
||||
# role in that project will have access.
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy = set([
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context
|
||||
])
|
||||
# With scope enable and no legacy rule, only project scoped admin,
|
||||
# project members, and project reader have access. No other role
|
||||
# in that project or system scoped token will have access.
|
||||
self.project_reader_or_admin_with_scope_no_legacy = set([
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context
|
||||
])
|
||||
|
||||
if self.without_deprecated_rules:
|
||||
# To simulate the new world, remove deprecations by overriding
|
||||
|
@ -149,6 +187,10 @@ class BasePolicyTest(test.TestCase):
|
|||
"role:member and project_id:%(project_id)s",
|
||||
"project_reader_api":
|
||||
"role:reader and project_id:%(project_id)s",
|
||||
"project_member_or_admin":
|
||||
"rule:project_member_api or rule:context_is_admin",
|
||||
"project_reader_or_admin":
|
||||
"rule:project_reader_api or rule:context_is_admin",
|
||||
})
|
||||
self.policy.set_rules(self.rules_without_deprecation,
|
||||
overwrite=False)
|
||||
|
|
|
@ -78,12 +78,6 @@ class AdminActionsNoLegacyNoScopePolicyTest(AdminActionsPolicyTest):
|
|||
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(AdminActionsNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule and scope disable, only project admin
|
||||
# is able to perform server admin actions.
|
||||
self.project_action_authorized_contexts = [self.project_admin_context]
|
||||
|
||||
|
||||
class AdminActionsScopeTypePolicyTest(AdminActionsPolicyTest):
|
||||
"""Test Admin Actions APIs policies with system scope enabled.
|
||||
|
@ -111,10 +105,3 @@ class AdminActionsScopeTypeNoLegacyPolicyTest(AdminActionsScopeTypePolicyTest):
|
|||
only project admin is able to perform admin action on their server.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(AdminActionsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# This is how our RBAC will looks like. With no legacy rule
|
||||
# and scope enable, only project admin is able to perform
|
||||
# server admin actions.
|
||||
self.project_action_authorized_contexts = [self.project_admin_context]
|
||||
|
|
|
@ -101,8 +101,8 @@ class AdminPasswordNoLegacyNoScopePolicyTest(AdminPasswordPolicyTest):
|
|||
super(AdminPasswordNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to change the server password.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest):
|
||||
|
@ -119,10 +119,8 @@ class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest):
|
|||
super(AdminPasswordScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to change password.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class AdminPasswordScopeTypeNoLegacyTest(AdminPasswordScopeTypePolicyTest):
|
||||
|
@ -139,5 +137,5 @@ class AdminPasswordScopeTypeNoLegacyTest(AdminPasswordScopeTypePolicyTest):
|
|||
|
||||
# With scope enable and no legacy rule only project admin/member
|
||||
# will be able to change password for the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -117,22 +117,21 @@ class AttachInterfacesNoLegacyNoScopePolicyTest(AttachInterfacesPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
ai_policies.POLICY_ROOT % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ai_policies.POLICY_ROOT % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ai_policies.POLICY_ROOT % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
ai_policies.POLICY_ROOT % 'delete':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(AttachInterfacesNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, legacy admin loose power.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class AttachInterfacesScopeTypePolicyTest(AttachInterfacesPolicyTest):
|
||||
|
@ -149,12 +148,10 @@ class AttachInterfacesScopeTypePolicyTest(AttachInterfacesPolicyTest):
|
|||
super(AttachInterfacesScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With Scope enable, system users no longer allowed.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_member_authorized_contexts)
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class AttachInterfacesDeprecatedPolicyTest(base.BasePolicyTest):
|
||||
|
@ -217,20 +214,19 @@ class AttachInterfacesScopeTypeNoLegacyPolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
ai_policies.POLICY_ROOT % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ai_policies.POLICY_ROOT % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ai_policies.POLICY_ROOT % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
ai_policies.POLICY_ROOT % 'delete':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(AttachInterfacesScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# and reader will be able to allowed operation on server interface.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -73,8 +73,8 @@ class ConsoleOutputNoLegacyNoScopePolicyTest(ConsoleOutputPolicyTest):
|
|||
super(ConsoleOutputNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member is able to
|
||||
# get the server console.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
|
||||
|
@ -92,10 +92,8 @@ class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
|
|||
super(ConsoleOutputScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ConsoleOutputScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -110,5 +108,5 @@ class ConsoleOutputScopeTypeNoLegacyPolicyTest(
|
|||
|
||||
# With scope enable and no legacy rule, only project admin/member can
|
||||
# get the server console.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -81,8 +81,8 @@ class CreateBackupNoLegacyNoScopePolicyTest(CreateBackupPolicyTest):
|
|||
super(CreateBackupNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to create the server backup.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class CreateBackupScopeTypePolicyTest(CreateBackupPolicyTest):
|
||||
|
@ -100,10 +100,8 @@ class CreateBackupScopeTypePolicyTest(CreateBackupPolicyTest):
|
|||
super(CreateBackupScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system users to create the server.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class CreateBackupScopeTypeNoLegacyPolicyTest(CreateBackupScopeTypePolicyTest):
|
||||
|
@ -116,5 +114,5 @@ class CreateBackupScopeTypeNoLegacyPolicyTest(CreateBackupScopeTypePolicyTest):
|
|||
super(CreateBackupScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to create the server backup.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -105,16 +105,16 @@ class DeferredDeleteNoLegacyNoScopePolicyTest(DeferredDeletePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
dd_policies.BASE_POLICY_NAME % 'restore':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
dd_policies.BASE_POLICY_NAME % 'force':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(DeferredDeleteNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member is able to force
|
||||
# delete or restore server.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class DeferredDeleteScopeTypePolicyTest(DeferredDeletePolicyTest):
|
||||
|
@ -132,10 +132,8 @@ class DeferredDeleteScopeTypePolicyTest(DeferredDeletePolicyTest):
|
|||
super(DeferredDeleteScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class DeferredDeleteScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -146,14 +144,14 @@ class DeferredDeleteScopeTypeNoLegacyPolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
dd_policies.BASE_POLICY_NAME % 'restore':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
dd_policies.BASE_POLICY_NAME % 'force':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(DeferredDeleteScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With scope enable and no legacy rule, only project admin/member is
|
||||
# able to force delete or restore server.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -114,12 +114,6 @@ class EvacuateNoLegacyNoScopePolicyTest(EvacuatePolicyTest):
|
|||
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(EvacuateNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule and scope disable, only project admin
|
||||
# will be able to evacuate server.
|
||||
self.project_action_authorized_contexts = [self.project_admin_context]
|
||||
|
||||
|
||||
class EvacuateScopeTypePolicyTest(EvacuatePolicyTest):
|
||||
"""Test Evacuate APIs policies with system scope enabled.
|
||||
|
@ -146,10 +140,3 @@ class EvacuateScopeTypeNoLegacyPolicyTest(EvacuateScopeTypePolicyTest):
|
|||
and no more deprecated rules which means scope + new defaults.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(EvacuateScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# This is how our RBAC will looks like. With no legacy rule
|
||||
# and scope enable, only project admin is able to evacuate
|
||||
# server.
|
||||
self.project_action_authorized_contexts = [self.project_admin_context]
|
||||
|
|
|
@ -152,24 +152,24 @@ class FloatingIPNoLegacyNoScopePolicyTest(FloatingIPPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
fip_policies.BASE_POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'add':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'remove':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(FloatingIPNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to add/remove FIP to server.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
# With no legacy, project other roles like foo will not be able
|
||||
# to operate on FIP.
|
||||
self.member_authorized_contexts = [
|
||||
|
@ -203,10 +203,8 @@ class FloatingIPScopeTypePolicyTest(FloatingIPPolicyTest):
|
|||
super(FloatingIPScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system users.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.member_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
|
@ -228,24 +226,24 @@ class FloatingIPScopeTypeNoLegacyPolicyTest(FloatingIPScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
fip_policies.BASE_POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'add':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
fip_policies.BASE_POLICY_NAME % 'remove':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(FloatingIPScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# Check that system admin or owner is able to
|
||||
# add/delete FIP to server.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
# With no legacy and scope enabled, system users and project
|
||||
# other roles like foo will not be able to operate FIP.
|
||||
self.member_authorized_contexts = [
|
||||
|
|
|
@ -140,20 +140,17 @@ class InstanceActionsNoLegacyNoScopePolicyTest(InstanceActionsPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
ia_policies.BASE_POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ia_policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ia_policies.BASE_POLICY_NAME % 'events':
|
||||
base_policy.PROJECT_ADMIN,
|
||||
base_policy.ADMIN,
|
||||
}
|
||||
|
||||
def setUp(self):
|
||||
super(InstanceActionsNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, legacy admin loose power.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class InstanceActionsDeprecatedPolicyTest(base.BasePolicyTest):
|
||||
|
@ -231,10 +228,8 @@ class InstanceActionsScopeTypePolicyTest(InstanceActionsPolicyTest):
|
|||
# With Scope enable, system users no longer allowed.
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
@mock.patch('nova.objects.InstanceActionEventList.get_by_action')
|
||||
@mock.patch('nova.objects.InstanceAction.get_by_request_id')
|
||||
|
@ -280,27 +275,25 @@ class InstanceActionsScopeTypePolicyTest(InstanceActionsPolicyTest):
|
|||
self.assertNotIn('details', event)
|
||||
|
||||
|
||||
class InstanceActionsScopeTypeNoLegacyPolicyTest(InstanceActionsPolicyTest):
|
||||
class InstanceActionsScopeTypeNoLegacyPolicyTest(
|
||||
InstanceActionsScopeTypePolicyTest):
|
||||
"""Test os-instance-actions APIs policies with system scope enabled,
|
||||
and no more deprecated rules.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
ia_policies.BASE_POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ia_policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
ia_policies.BASE_POLICY_NAME % 'events':
|
||||
base_policy.PROJECT_ADMIN,
|
||||
base_policy.ADMIN,
|
||||
}
|
||||
|
||||
def setUp(self):
|
||||
super(InstanceActionsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# and reader will be able to get server action and only admin
|
||||
# with event details.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -95,7 +95,7 @@ class LimitsNoLegacyNoScopeTest(LimitsPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME:
|
||||
base_policy.PROJECT_ADMIN}
|
||||
base_policy.ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(LimitsNoLegacyNoScopeTest, self).setUp()
|
||||
|
@ -141,7 +141,7 @@ class LimitsScopeTypeNoLegacyPolicyTest(LimitsScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME:
|
||||
base_policy.PROJECT_ADMIN}
|
||||
base_policy.ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(LimitsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
|
|
|
@ -139,11 +139,9 @@ class LockServerNoLegacyNoScopePolicyTest(LockServerPolicyTest):
|
|||
def setUp(self):
|
||||
super(LockServerNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to lock/unlock the server and only project admin can
|
||||
# override the unlock.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
# able to lock/unlock the server.
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class LockServerScopeTypePolicyTest(LockServerPolicyTest):
|
||||
|
@ -160,10 +158,8 @@ class LockServerScopeTypePolicyTest(LockServerPolicyTest):
|
|||
super(LockServerScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to lock/unlock the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
|
||||
|
@ -178,9 +174,8 @@ class LockServerScopeTypeNoLegacyPolicyTest(LockServerScopeTypePolicyTest):
|
|||
super(LockServerScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to lock/unlock the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
||||
|
||||
class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):
|
||||
|
|
|
@ -83,11 +83,6 @@ class MigrateServerNoLegacyNoScopeTest(MigrateServerPolicyTest):
|
|||
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(MigrateServerNoLegacyNoScopeTest, self).setUp()
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.project_admin_context]
|
||||
|
||||
|
||||
class MigrateServerScopeTypePolicyTest(MigrateServerPolicyTest):
|
||||
"""Test Migrate Server APIs policies with system scope enabled.
|
||||
|
@ -115,12 +110,6 @@ class MigrateServerScopeTypeNoLegacyPolicyTest(
|
|||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(MigrateServerScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# with no legacy rule and scope enable., only project admin is able to
|
||||
# migrate the server.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
|
||||
|
||||
class MigrateServerOverridePolicyTest(
|
||||
MigrateServerScopeTypeNoLegacyPolicyTest):
|
||||
|
|
|
@ -83,16 +83,16 @@ class MultinicNoLegacyNoScopePolicyTest(MultinicPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.BASE_POLICY_NAME % 'add':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.BASE_POLICY_NAME % 'remove':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(MultinicNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to add/remove the fixed ip.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class MultinicScopeTypePolicyTest(MultinicPolicyTest):
|
||||
|
@ -111,10 +111,8 @@ class MultinicScopeTypePolicyTest(MultinicPolicyTest):
|
|||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to add/remove
|
||||
# the fixed ip.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class MultinicScopeTypeNoLegacyPolicyTest(MultinicScopeTypePolicyTest):
|
||||
|
@ -124,13 +122,13 @@ class MultinicScopeTypeNoLegacyPolicyTest(MultinicScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.BASE_POLICY_NAME % 'add':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.BASE_POLICY_NAME % 'remove':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(MultinicScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to add/remove the fixed ip.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -73,9 +73,9 @@ class NetworksNoLegacyNoScopePolicyTest(NetworksPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_ROOT % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_ROOT % 'show':
|
||||
base_policy.PROJECT_READER}
|
||||
base_policy.PROJECT_READER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(NetworksNoLegacyNoScopePolicyTest, self).setUp()
|
||||
|
@ -120,9 +120,9 @@ class NetworksScopeTypeNoLegacyPolicyTest(NetworksScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_ROOT % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_ROOT % 'show':
|
||||
base_policy.PROJECT_READER}
|
||||
base_policy.PROJECT_READER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(NetworksScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
|
|
|
@ -109,8 +109,8 @@ class PauseServerNoLegacyNoScopePolicyTest(PauseServerPolicyTest):
|
|||
super(PauseServerNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to pause/unpause the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class PauseServerScopeTypePolicyTest(PauseServerPolicyTest):
|
||||
|
@ -127,10 +127,8 @@ class PauseServerScopeTypePolicyTest(PauseServerPolicyTest):
|
|||
super(PauseServerScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to pause/unpause the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class PauseServerScopeTypeNoLegacyPolicyTest(PauseServerScopeTypePolicyTest):
|
||||
|
@ -143,5 +141,5 @@ class PauseServerScopeTypeNoLegacyPolicyTest(PauseServerScopeTypePolicyTest):
|
|||
super(PauseServerScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to pause/unpause the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -79,8 +79,8 @@ class RemoteConsolesNoLegacyNoScopePolicyTest(RemoteConsolesPolicyTest):
|
|||
super(RemoteConsolesNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able get server remote consoles.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
|
||||
|
@ -98,10 +98,8 @@ class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
|
|||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to get server
|
||||
# remote console.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class RemoteConsolesScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -116,5 +114,5 @@ class RemoteConsolesScopeTypeNoLegacyPolicyTest(
|
|||
super(RemoteConsolesScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to get server remote console.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -108,16 +108,16 @@ class RescueServerNoLegacyNoScopePolicyTest(RescueServerPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
rs_policies.UNRESCUE_POLICY_NAME:
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
rs_policies.BASE_POLICY_NAME:
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(RescueServerNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to rescue/unrescue the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class RescueServerScopeTypePolicyTest(RescueServerPolicyTest):
|
||||
|
@ -135,10 +135,8 @@ class RescueServerScopeTypePolicyTest(RescueServerPolicyTest):
|
|||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to rescue/unrescue the
|
||||
# server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class RescueServerScopeTypeNoLegacyPolicyTest(RescueServerScopeTypePolicyTest):
|
||||
|
@ -149,13 +147,13 @@ class RescueServerScopeTypeNoLegacyPolicyTest(RescueServerScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
rs_policies.UNRESCUE_POLICY_NAME:
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
rs_policies.BASE_POLICY_NAME:
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(RescueServerScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to rescue/unrescue the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -104,22 +104,20 @@ class ServerSecurityGroupsNoLegacyNoScopePolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'add':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'remove':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(ServerSecurityGroupsNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to add/remove SG to server and reader to get SG.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context,
|
||||
]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class SecurityGroupsPolicyTest(base.BasePolicyTest):
|
||||
|
@ -243,19 +241,19 @@ class SecurityGroupsNoLegacyNoScopePolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_NAME % 'get':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'update':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'rule:create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'rule:delete':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(SecurityGroupsNoLegacyNoScopePolicyTest, self).setUp()
|
||||
|
@ -321,15 +319,10 @@ class ServerSecurityGroupsScopeTypePolicyTest(ServerSecurityGroupsPolicyTest):
|
|||
super(ServerSecurityGroupsScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system users.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ServerSecurityGroupsScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -340,23 +333,21 @@ class ServerSecurityGroupsScopeTypeNoLegacyPolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'add':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'remove':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(ServerSecurityGroupsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to add/remove the SG to their server and reader
|
||||
# will get SG of server.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context
|
||||
]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
||||
|
||||
class SecurityGroupsNoLegacyPolicyTest(SecurityGroupsScopeTypePolicyTest):
|
||||
|
@ -366,19 +357,19 @@ class SecurityGroupsNoLegacyPolicyTest(SecurityGroupsScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_NAME % 'get':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'update':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'rule:create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'rule:delete':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(SecurityGroupsNoLegacyPolicyTest, self).setUp()
|
||||
|
|
|
@ -66,11 +66,6 @@ class ServerDiagnosticsNoLegacyNoScopeTest(ServerDiagnosticsPolicyTest):
|
|||
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(ServerDiagnosticsNoLegacyNoScopeTest, self).setUp()
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.project_admin_context]
|
||||
|
||||
|
||||
class ServerDiagnosticsScopeTypePolicyTest(ServerDiagnosticsPolicyTest):
|
||||
"""Test Server Diagnostics APIs policies with system scope enabled.
|
||||
|
@ -98,12 +93,6 @@ class ServerDiagnosticsScopeTypeNoLegacyPolicyTest(
|
|||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(ServerDiagnosticsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# with no legacy rule and scope enable., only project admin is able to
|
||||
# get server diagnostics.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
|
||||
|
||||
class ServerDiagnosticsOverridePolicyTest(
|
||||
ServerDiagnosticsScopeTypeNoLegacyPolicyTest):
|
||||
|
|
|
@ -163,12 +163,10 @@ class ServerGroupNoLegacyNoScopePolicyTest(ServerGroupPolicyTest):
|
|||
super(ServerGroupNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy, only project admin, member will be able to delete
|
||||
# the SG and also reader will be able to get the SG.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
# Even with no legacy rule, legacy admin is allowed to create SG
|
||||
# use requesting context's project_id. Same for list SG.
|
||||
|
@ -205,16 +203,10 @@ class ServerGroupScopeTypePolicyTest(ServerGroupPolicyTest):
|
|||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
# With scope enable, it disallow system users.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context,
|
||||
]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context,
|
||||
]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
self.project_create_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
|
@ -244,17 +236,16 @@ class ServerGroupScopeTypeNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
|
|||
def setUp(self):
|
||||
super(ServerGroupScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
||||
self.project_create_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context,
|
||||
self.other_project_member_context]
|
||||
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
|
|
|
@ -84,10 +84,8 @@ class ServerIpsNoLegacyNoScopePolicyTest(ServerIpsPolicyTest):
|
|||
super(ServerIpsNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy, only project admin, member, and reader will be able
|
||||
# to get their server IP addresses.
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context,
|
||||
]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ServerIpsScopeTypePolicyTest(ServerIpsPolicyTest):
|
||||
|
@ -105,11 +103,8 @@ class ServerIpsScopeTypePolicyTest(ServerIpsPolicyTest):
|
|||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With scope enabled, system users will not be able
|
||||
# to get the server IP addresses.
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ServerIpsScopeTypeNoLegacyPolicyTest(ServerIpsScopeTypePolicyTest):
|
||||
|
@ -120,9 +115,7 @@ class ServerIpsScopeTypeNoLegacyPolicyTest(ServerIpsScopeTypePolicyTest):
|
|||
|
||||
def setUp(self):
|
||||
super(ServerIpsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# With no legacy and scope enable, only admin, member,
|
||||
# and reader will be able to get their server IP addresses.
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context
|
||||
]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -119,11 +119,10 @@ class ServerMetadataNoLegacyNoScopePolicyTest(ServerMetadataPolicyTest):
|
|||
def setUp(self):
|
||||
super(ServerMetadataNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, legacy admin loose power.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
|
||||
|
@ -140,12 +139,10 @@ class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
|
|||
super(ServerMetadataScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With Scope enable, system users no longer allowed.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_member_authorized_contexts)
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ServerMetadataScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -160,8 +157,7 @@ class ServerMetadataScopeTypeNoLegacyPolicyTest(
|
|||
super(ServerMetadataScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# and reader will be able to allowed operation on server metadata.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -93,11 +93,6 @@ class ServerMigrationsNoLegacyNoScopeTest(ServerMigrationsPolicyTest):
|
|||
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(ServerMigrationsNoLegacyNoScopeTest, self).setUp()
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.project_admin_context]
|
||||
|
||||
|
||||
class ServerMigrationsScopeTypePolicyTest(ServerMigrationsPolicyTest):
|
||||
"""Test Server Migrations APIs policies with system scope enabled.
|
||||
|
@ -124,12 +119,6 @@ class ServerMigrationsScopeTypeNoLegacyPolicyTest(
|
|||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(ServerMigrationsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# Check that admin is able to perform operations
|
||||
# for server migrations.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
|
||||
|
||||
class ServerMigrationsOverridePolicyTest(
|
||||
ServerMigrationsScopeTypeNoLegacyPolicyTest):
|
||||
|
|
|
@ -80,18 +80,17 @@ class ServerPasswordNoLegacyNoScopePolicyTest(ServerPasswordPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.BASE_POLICY_NAME % 'clear':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(ServerPasswordNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, legacy admin loose power.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
|
||||
|
@ -108,12 +107,10 @@ class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
|
|||
super(ServerPasswordScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With Scope enable, system users no longer allowed.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_member_authorized_contexts)
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ServerPasswordScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -124,16 +121,15 @@ class ServerPasswordScopeTypeNoLegacyPolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.BASE_POLICY_NAME % 'clear':
|
||||
base_policy.PROJECT_MEMBER}
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(ServerPasswordScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# and reader will be able to allowed operation on server password.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -132,11 +132,10 @@ class ServerTagsNoLegacyNoScopePolicyTest(ServerTagsPolicyTest):
|
|||
def setUp(self):
|
||||
super(ServerTagsNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, legacy admin loose power.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ServerTagsScopeTypePolicyTest(ServerTagsPolicyTest):
|
||||
|
@ -153,12 +152,10 @@ class ServerTagsScopeTypePolicyTest(ServerTagsPolicyTest):
|
|||
super(ServerTagsScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# With Scope enable, system users no longer allowed.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_member_authorized_contexts)
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ServerTagsScopeTypeNoLegacyPolicyTest(ServerTagsScopeTypePolicyTest):
|
||||
|
@ -172,8 +169,7 @@ class ServerTagsScopeTypeNoLegacyPolicyTest(ServerTagsScopeTypePolicyTest):
|
|||
super(ServerTagsScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# and reader will be able to allowed operation on server tags.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -98,11 +98,8 @@ class ServerTopologyNoLegacyNoScopePolicyTest(ServerTopologyPolicyTest):
|
|||
|
||||
def setUp(self):
|
||||
super(ServerTopologyNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, legacy admin loose power.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
|
||||
|
@ -121,10 +118,8 @@ class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
|
|||
# With Scope enable, system users no longer allowed.
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class ServerTopologyScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -138,9 +133,6 @@ class ServerTopologyScopeTypeNoLegacyPolicyTest(
|
|||
def setUp(self):
|
||||
super(ServerTopologyScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With no legacy and scope enable, only project admin, member,
|
||||
# and reader will be able to get server topology and only admin
|
||||
# with host info.
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
# and reader will be able to get server topology.
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -1324,7 +1324,7 @@ class ServersNoLegacyNoScopeTest(ServersPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.SERVERS % 'show:flavor-extra-specs':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
}
|
||||
|
||||
def setUp(self):
|
||||
|
@ -1332,23 +1332,14 @@ class ServersNoLegacyNoScopeTest(ServersPolicyTest):
|
|||
|
||||
# Disabling legacy rule support means that we no longer allow
|
||||
# random roles on our project to take action on our
|
||||
# resources. We also do not allow admin on other projects
|
||||
# (i.e. legacy_admin), nor system (because it's admin on no
|
||||
# project).
|
||||
self.reduce_set('project_action_authorized', set([
|
||||
self.project_admin_context, self.project_member_context,
|
||||
]))
|
||||
|
||||
self.reduce_set('project_admin_authorized', set([
|
||||
self.project_admin_context
|
||||
]))
|
||||
# resources. Legacy admin will have access.
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
# The only additional role that can read our resources is our
|
||||
# own project_reader.
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_action_authorized_contexts |
|
||||
set([self.project_reader_context])
|
||||
)
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
# Disabling legacy support means random roles lose power to
|
||||
# see everything in their project.
|
||||
|
@ -1438,7 +1429,7 @@ class ServersNoLegacyPolicyTest(ServersScopeTypePolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.SERVERS % 'show:flavor-extra-specs':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
}
|
||||
|
||||
def setUp(self):
|
||||
|
@ -1448,15 +1439,8 @@ class ServersNoLegacyPolicyTest(ServersScopeTypePolicyTest):
|
|||
# powerful on our project. Also, we drop the "any role on the
|
||||
# project means you can do stuff" behavior, so project_reader
|
||||
# and project_foo lose power.
|
||||
self.reduce_set('project_action_authorized', set([
|
||||
self.project_admin_context,
|
||||
self.project_member_context,
|
||||
]))
|
||||
|
||||
# With no legacy rule and scope checks enable, only project
|
||||
# admin can do admin things on project resource.
|
||||
self.reduce_set('project_admin_authorized',
|
||||
set([self.project_admin_context]))
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
||||
# Only project_reader has additional read access to our
|
||||
# project resources.
|
||||
|
|
|
@ -122,9 +122,8 @@ class ShelveServerNoLegacyNoScopePolicyTest(ShelveServerPolicyTest):
|
|||
# With no legacy rule, only project admin or member will be
|
||||
# able to shelve/unshelve the server and only project admin can
|
||||
# shelve offload the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
|
||||
|
@ -142,10 +141,8 @@ class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
|
|||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to shelve/unshelve the
|
||||
# server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
|
||||
|
@ -160,6 +157,5 @@ class ShelveServerScopeTypeNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
|
|||
super(ShelveServerScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
# With scope enable and no legacy rule, only project admin/member
|
||||
# will be able to shelve/unshelve the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_admin_authorized_contexts = [self.project_admin_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -70,10 +70,8 @@ class SimpleTenantUsageNoLegacyNoScopePolicyTest(SimpleTenantUsagePolicyTest):
|
|||
super(SimpleTenantUsageNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy, project other roles like foo will not be able
|
||||
# to get tenant usage.
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context,
|
||||
]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class SimpleTenantUsageScopeTypePolicyTest(SimpleTenantUsagePolicyTest):
|
||||
|
@ -92,11 +90,8 @@ class SimpleTenantUsageScopeTypePolicyTest(SimpleTenantUsagePolicyTest):
|
|||
# With Scope enable, system users no longer allowed.
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context,
|
||||
]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class SimpleTenantUsageScopeTypeNoLegacyPolicyTest(
|
||||
|
@ -109,7 +104,5 @@ class SimpleTenantUsageScopeTypeNoLegacyPolicyTest(
|
|||
|
||||
def setUp(self):
|
||||
super(SimpleTenantUsageScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
]
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -107,8 +107,8 @@ class SuspendServerNoLegacyNoScopePolicyTest(SuspendServerPolicyTest):
|
|||
super(SuspendServerNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin or member will be
|
||||
# able to suspend/resume the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class SuspendServerScopeTypePolicyTest(SuspendServerPolicyTest):
|
||||
|
@ -125,10 +125,8 @@ class SuspendServerScopeTypePolicyTest(SuspendServerPolicyTest):
|
|||
super(SuspendServerScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
# Scope enable will not allow system admin to suspend/resume server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
|
||||
class SuspendServerScopeTypeNoLegacyTest(SuspendServerScopeTypePolicyTest):
|
||||
|
@ -143,5 +141,5 @@ class SuspendServerScopeTypeNoLegacyTest(SuspendServerScopeTypePolicyTest):
|
|||
super(SuspendServerScopeTypeNoLegacyTest, self).setUp()
|
||||
# With scope enable and no legacy rule only project admin/member
|
||||
# will be able to suspend/resume the server.
|
||||
self.project_action_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_action_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
|
|
|
@ -72,9 +72,9 @@ class TenantNetworksNoLegacyNoScopePolicyTest(TenantNetworksPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER}
|
||||
base_policy.PROJECT_READER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(TenantNetworksNoLegacyNoScopePolicyTest, self).setUp()
|
||||
|
@ -120,9 +120,9 @@ class TenantNetworksScopeTypeNoLegacyPolicyTest(
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
policies.POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER}
|
||||
base_policy.PROJECT_READER_OR_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(TenantNetworksScopeTypeNoLegacyPolicyTest, self).setUp()
|
||||
|
|
|
@ -215,14 +215,12 @@ class VolumeAttachNoLegacyNoScopePolicyTest(VolumeAttachPolicyTest):
|
|||
|
||||
def setUp(self):
|
||||
super(VolumeAttachNoLegacyNoScopePolicyTest, self).setUp()
|
||||
# With no legacy rule, only project admin, member, or reader will be
|
||||
# With no legacy rule, only admin, member, or reader will be
|
||||
# able to perform volume attachment operation on its own project.
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_no_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_no_scope_no_legacy)
|
||||
|
||||
|
||||
class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
|
||||
|
@ -242,15 +240,10 @@ class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
|
|||
|
||||
# Scope enable will not allow system admin to perform the
|
||||
# volume attachments.
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.legacy_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_m_r_or_admin_with_scope_and_legacy)
|
||||
|
||||
self.project_admin_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context]
|
||||
|
@ -268,11 +261,10 @@ class VolumeAttachScopeTypeNoLegacyPolicyTest(VolumeAttachScopeTypePolicyTest):
|
|||
# With scope enable and no legacy rule, it will not allow
|
||||
# system users and project admin/member/reader will be able to
|
||||
# perform volume attachment operation on its own project.
|
||||
self.project_reader_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
self.project_member_authorized_contexts = [
|
||||
self.project_admin_context, self.project_member_context]
|
||||
self.project_member_authorized_contexts = (
|
||||
self.project_member_or_admin_with_scope_no_legacy)
|
||||
self.project_reader_authorized_contexts = (
|
||||
self.project_reader_or_admin_with_scope_no_legacy)
|
||||
|
||||
|
||||
class VolumesPolicyTest(base.BasePolicyTest):
|
||||
|
@ -403,25 +395,25 @@ class VolumesNoLegacyNoScopePolicyTest(VolumesPolicyTest):
|
|||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
v_policies.POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'detail':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:detail':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
}
|
||||
|
||||
def setUp(self):
|
||||
|
@ -482,25 +474,25 @@ class VolumesScopeTypeNoLegacyPolicyTest(VolumesScopeTypePolicyTest):
|
|||
|
||||
rules_without_deprecation = {
|
||||
v_policies.POLICY_NAME % 'list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'detail':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:list':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:detail':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:delete':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:create':
|
||||
base_policy.PROJECT_MEMBER,
|
||||
base_policy.PROJECT_MEMBER_OR_ADMIN,
|
||||
v_policies.POLICY_NAME % 'snapshots:show':
|
||||
base_policy.PROJECT_READER,
|
||||
base_policy.PROJECT_READER_OR_ADMIN,
|
||||
}
|
||||
|
||||
def setUp(self):
|
||||
|
|
|
@ -554,7 +554,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
special_rules = ('admin_api', 'admin_or_owner', 'context_is_admin',
|
||||
'os_compute_api:os-quota-class-sets:show',
|
||||
'project_admin_api', 'project_member_api',
|
||||
'project_reader_api', 'project_reader_or_admin')
|
||||
'project_reader_api', 'project_member_or_admin',
|
||||
'project_reader_or_admin')
|
||||
result = set(rules.keys()) - set(self.admin_only_rules +
|
||||
self.admin_or_owner_rules +
|
||||
self.allow_all_rules +
|
||||
|
|
Loading…
Reference in New Issue