diff --git a/nova/policies/quota_class_sets.py b/nova/policies/quota_class_sets.py index 81841489a362..5a41a79bec26 100644 --- a/nova/policies/quota_class_sets.py +++ b/nova/policies/quota_class_sets.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s' quota_class_sets_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str='is_admin:True or quota_class:%(quota_class)s', + check_str=base.SYSTEM_READER, description="List quotas for specific quota classs", operations=[ { @@ -35,7 +35,7 @@ quota_class_sets_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, description='Update quotas for specific quota class', operations=[ { diff --git a/nova/tests/unit/policies/test_quota_class_sets.py b/nova/tests/unit/policies/test_quota_class_sets.py index 71471fae4258..4f9b228bc835 100644 --- a/nova/tests/unit/policies/test_quota_class_sets.py +++ b/nova/tests/unit/policies/test_quota_class_sets.py @@ -31,17 +31,28 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): self.controller = quota_classes.QuotaClassSetsController() self.req = fakes.HTTPRequest.blank('') - # Check that admin is able to update and get quota class + # Check that admin is able to update quota class self.admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to update and get quota class + # Check that non-admin is not able to update quota class self.admin_unauthorized_contexts = [ self.system_member_context, self.system_reader_context, self.system_foo_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.other_project_member_context ] + # Check that system reader is able to get quota class + self.system_reader_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, + self.project_admin_context, self.system_member_context, + self.system_reader_context] + # Check that non-system reader is not able to get quota class + self.system_reader_unauthorized_contexts = [ + self.system_foo_context, self.project_member_context, + self.project_reader_context, self.project_foo_context, + self.other_project_member_context + ] @mock.patch('nova.objects.Quotas.update_class') def test_update_quota_class_sets_policy(self, mock_update): @@ -61,8 +72,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): @mock.patch('nova.quota.QUOTAS.get_class_quotas') def test_show_quota_class_sets_policy(self, mock_get): rule_name = policies.POLICY_ROOT % 'show' - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, + self.common_policy_check(self.system_reader_authorized_contexts, + self.system_reader_unauthorized_contexts, rule_name, self.controller.show, self.req, 'test_class') @@ -92,3 +103,25 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest): self.project_reader_context, self.project_foo_context, self.other_project_member_context ] + # Check that system reader is able to get quota class + self.system_reader_authorized_contexts = [ + self.system_admin_context, self.system_member_context, + self.system_reader_context] + # Check that non-system reader is not able to get quota class + self.system_reader_unauthorized_contexts = [ + self.legacy_admin_context, self.project_admin_context, + self.system_foo_context, self.project_member_context, + self.project_reader_context, self.project_foo_context, + self.other_project_member_context + ] + + +class QuotaClassSetsNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest): + """Test Quota Class Sets APIs policies with system scope enabled, + and no more deprecated rules that allow the legacy admin API to + access system APIs. + """ + without_deprecated_rules = True + + def setUp(self): + super(QuotaClassSetsNoLegacyPolicyTest, self).setUp()