Introduce scope_types in os-instance-usage-audit-log
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for os-instance-usage-audit-log API policies as 'system'. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: I070cedee068f87a8d466d38d34abcad552ecd015
This commit is contained in:
parent
fda60b873f
commit
9f773b7773
|
@ -23,12 +23,12 @@ BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'
|
|||
|
||||
instance_usage_audit_log_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
BASE_POLICY_NAME,
|
||||
base.RULE_ADMIN_API,
|
||||
"List all usage audits and that occurred before a specified time "
|
||||
"for all servers on all compute hosts where usage auditing is "
|
||||
"configured",
|
||||
[
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="List all usage audits and that occurred before "
|
||||
"a specified time for all servers on all compute hosts where "
|
||||
"usage auditing is configured",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/os-instance_usage_audit_log'
|
||||
|
@ -37,7 +37,8 @@ instance_usage_audit_log_policies = [
|
|||
'method': 'GET',
|
||||
'path': '/os-instance_usage_audit_log/{before_timestamp}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -75,3 +75,16 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
|
|||
def setUp(self):
|
||||
super(InstanceUsageScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
# Check that system admin is able to get instance usage audit log.
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context]
|
||||
# Check that non-system-admin is not able to get instance
|
||||
# usage audit log.
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue