Add new default roles in quota class policies

This adds new defaults roles in quota class API policies. as SYSTEM_ADMIN Removing the quota_class from check_str as those were half implemented feature from rackspace use case. We do not pass the quota_class in context as well as in context.to_policy_values() due to that it does not work in current implementation. Also add tests to simulates the future where we drop the deprecation fall back in the policy by overriding the rules with a version where there are no deprecated rule options. Operators can do the same by adding overrides in their policy files that match the default but stop the rule deprecation fallback from happening. Partial implement blueprint policy-defaults-refresh Change-Id: I03f44320368da40281849ca509b55149e7ff14bf
2020-04-10 15:17:56 -05:00 · 2020-04-10 15:17:56 -05:00 · b32860b773
commit b32860b773
parent 3fc5c250e0
2 changed files with 39 additions and 6 deletions
--- a/nova/policies/quota_class_sets.py
+++ b/nova/policies/quota_class_sets.py
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s'
 quota_class_sets_policies = [
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'show',
-        check_str='is_admin:True or quota_class:%(quota_class)s',
+        check_str=base.SYSTEM_READER,
        description="List quotas for specific quota classs",
        operations=[
            {
@ -35,7 +35,7 @@ quota_class_sets_policies = [
        scope_types=['system']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'update',
-        check_str=base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_ADMIN,
        description='Update quotas for specific quota class',
        operations=[
            {
--- a/nova/tests/unit/policies/test_quota_class_sets.py
+++ b/nova/tests/unit/policies/test_quota_class_sets.py
@ -31,17 +31,28 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
        self.controller = quota_classes.QuotaClassSetsController()
        self.req = fakes.HTTPRequest.blank('')

-        # Check that admin is able to update and get quota class
+        # Check that admin is able to update quota class
        self.admin_authorized_contexts = [
            self.legacy_admin_context, self.system_admin_context,
            self.project_admin_context]
-        # Check that non-admin is not able to update and get quota class
+        # Check that non-admin is not able to update quota class
        self.admin_unauthorized_contexts = [
            self.system_member_context, self.system_reader_context,
            self.system_foo_context, self.project_member_context,
            self.project_reader_context, self.project_foo_context,
            self.other_project_member_context
        ]
+        # Check that system reader is able to get quota class
+        self.system_reader_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system reader is not able to get quota class
+        self.system_reader_unauthorized_contexts = [
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]

    @mock.patch('nova.objects.Quotas.update_class')
    def test_update_quota_class_sets_policy(self, mock_update):
@ -61,8 +72,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
    @mock.patch('nova.quota.QUOTAS.get_class_quotas')
    def test_show_quota_class_sets_policy(self, mock_get):
        rule_name = policies.POLICY_ROOT % 'show'
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
+        self.common_policy_check(self.system_reader_authorized_contexts,
+                                 self.system_reader_unauthorized_contexts,
                                 rule_name,
                                 self.controller.show,
                                 self.req, 'test_class')
@ -92,3 +103,25 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
            self.project_reader_context, self.project_foo_context,
            self.other_project_member_context
        ]
+        # Check that system reader is able to get quota class
+        self.system_reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system reader is not able to get quota class
+        self.system_reader_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]
+
+
+class QuotaClassSetsNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest):
+    """Test Quota Class Sets APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(QuotaClassSetsNoLegacyPolicyTest, self).setUp()