Merge "Change os-server-tags default policy"

This commit is contained in:
Jenkins 2017-03-29 11:31:32 +00:00 committed by Gerrit Code Review
commit afd1f9d382
3 changed files with 18 additions and 13 deletions

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
server_tags_policies = [
base.create_rule_default(
POLICY_ROOT % 'delete_all',
base.RULE_ANY,
base.RULE_ADMIN_OR_OWNER,
"Delete all the server tags",
[
{
@ -34,7 +34,7 @@ server_tags_policies = [
]),
base.create_rule_default(
POLICY_ROOT % 'index',
base.RULE_ANY,
base.RULE_ADMIN_OR_OWNER,
"List all tags for given server",
[
{
@ -44,7 +44,7 @@ server_tags_policies = [
]),
base.create_rule_default(
POLICY_ROOT % 'update_all',
base.RULE_ANY,
base.RULE_ADMIN_OR_OWNER,
"Replace all tags on specified server with the new set of tags.",
[
{
@ -55,7 +55,7 @@ server_tags_policies = [
]),
base.create_rule_default(
POLICY_ROOT % 'delete',
base.RULE_ANY,
base.RULE_ADMIN_OR_OWNER,
"Delete a single tag from the specified server",
[
{
@ -66,7 +66,7 @@ server_tags_policies = [
),
base.create_rule_default(
POLICY_ROOT % 'update',
base.RULE_ANY,
base.RULE_ADMIN_OR_OWNER,
"Add a single tag to the server if server has no specified tag",
[
{
@ -77,7 +77,7 @@ server_tags_policies = [
),
base.create_rule_default(
POLICY_ROOT % 'show',
base.RULE_ANY,
base.RULE_ADMIN_OR_OWNER,
"Check tag existence on the server.",
[
{
@ -88,7 +88,7 @@ server_tags_policies = [
),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
check_str=base.RULE_ANY)
]

@ -418,6 +418,12 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-server-password",
"os_compute_api:os-server-usage",
"os_compute_api:os-server-groups",
"os_compute_api:os-server-tags:delete",
"os_compute_api:os-server-tags:delete_all",
"os_compute_api:os-server-tags:index",
"os_compute_api:os-server-tags:show",
"os_compute_api:os-server-tags:update",
"os_compute_api:os-server-tags:update_all",
"os_compute_api:os-server-groups:index",
"os_compute_api:os-server-groups:show",
"os_compute_api:os-server-groups:create",
@ -502,13 +508,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-server-password:discoverable",
"os_compute_api:os-server-usage:discoverable",
"os_compute_api:os-server-groups:discoverable",
"os_compute_api:os-server-tags:delete",
"os_compute_api:os-server-tags:delete_all",
"os_compute_api:os-server-tags:discoverable",
"os_compute_api:os-server-tags:index",
"os_compute_api:os-server-tags:show",
"os_compute_api:os-server-tags:update",
"os_compute_api:os-server-tags:update_all",
"os_compute_api:os-services:discoverable",
"os_compute_api:server-metadata:discoverable",
"os_compute_api:server-migrations:discoverable",

@ -0,0 +1,5 @@
upgrade:
- The default policy on os-server-tags has been changed from
``RULE_ANY`` (allow all) to ``RULE_ADMIN_OR_OWNER``. This is because server
tags should only be manipulated on servers owned by the user or admin. This
doesn't have any affect on how the API works.