Introduce scope_types in os-instance-usage-audit-log

oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for os-instance-usage-audit-log API policies as 'system'. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: I070cedee068f87a8d466d38d34abcad552ecd015
2020-03-25 12:05:05 -05:00 · 2020-03-25 12:05:05 -05:00 · 9f773b7773
parent fda60b873f
commit 9f773b7773
2 changed files with 21 additions and 7 deletions
--- a/nova/policies/instance_usage_audit_log.py
+++ b/nova/policies/instance_usage_audit_log.py
@ -23,12 +23,12 @@ BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'

 instance_usage_audit_log_policies = [
    policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
-        "List all usage audits and that occurred before a specified time "
-        "for all servers on all compute hosts where usage auditing is "
-        "configured",
-        [
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API,
+        description="List all usage audits and that occurred before "
+        "a specified time for all servers on all compute hosts where "
+        "usage auditing is configured",
+        operations=[
            {
                'method': 'GET',
                'path': '/os-instance_usage_audit_log'
@ -37,7 +37,8 @@ instance_usage_audit_log_policies = [
                'method': 'GET',
                'path': '/os-instance_usage_audit_log/{before_timestamp}'
            }
-        ]),
+        ],
+        scope_types=['system']),
 ]


--- a/nova/tests/unit/policies/test_instance_usage_audit_log.py
+++ b/nova/tests/unit/policies/test_instance_usage_audit_log.py
@ -75,3 +75,16 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
    def setUp(self):
        super(InstanceUsageScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to get instance usage audit log.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system-admin is not able to get instance
+        # usage audit log.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]