Merge "Pass the actual target in server migration policy"

nova/api/openstack/compute/server_migrations.py

@@ -72,9 +72,10 @@ class ServerMigrationsController(wsgi.Controller):
     @validation.schema(server_migrations.force_complete)
     def _force_complete(self, req, id, server_id, body):
         context = req.environ['nova.context']
-        context.can(sm_policies.POLICY_ROOT % 'force_complete')
-
         instance = common.get_instance(self.compute_api, context, server_id)
+        context.can(sm_policies.POLICY_ROOT % 'force_complete',
+                    target={'project_id': instance.project_id})
+
         try:
             self.compute_api.live_migrate_force_complete(context, instance, id)
         except exception.InstanceNotFound as e:
@@ -94,11 +95,12 @@ class ServerMigrationsController(wsgi.Controller):
     def index(self, req, server_id):
         """Return all migrations of an instance in progress."""
         context = req.environ['nova.context']
-        context.can(sm_policies.POLICY_ROOT % 'index')
-
         # NOTE(Shaohe Feng) just check the instance is available. To keep
         # consistency with other API, check it before get migrations.
-        common.get_instance(self.compute_api, context, server_id)
+        instance = common.get_instance(self.compute_api, context, server_id)
+
+        context.can(sm_policies.POLICY_ROOT % 'index',
+                    target={'project_id': instance.project_id})
 
         migrations = self.compute_api.get_migrations_in_progress_by_instance(
                 context, server_id, 'live-migration')
@@ -115,11 +117,12 @@ class ServerMigrationsController(wsgi.Controller):
     def show(self, req, server_id, id):
         """Return the migration of an instance in progress by id."""
         context = req.environ['nova.context']
-        context.can(sm_policies.POLICY_ROOT % 'show')
-
         # NOTE(Shaohe Feng) just check the instance is available. To keep
         # consistency with other API, check it before get migrations.
-        common.get_instance(self.compute_api, context, server_id)
+        instance = common.get_instance(self.compute_api, context, server_id)
+
+        context.can(sm_policies.POLICY_ROOT % 'show',
+                    target={'project_id': instance.project_id})
 
         try:
             migration = self.compute_api.get_migration_by_id_and_instance(
@@ -153,11 +156,12 @@ class ServerMigrationsController(wsgi.Controller):
     def delete(self, req, server_id, id):
         """Abort an in progress migration of an instance."""
         context = req.environ['nova.context']
-        context.can(sm_policies.POLICY_ROOT % 'delete')
+        instance = common.get_instance(self.compute_api, context, server_id)
+        context.can(sm_policies.POLICY_ROOT % 'delete',
+                    target={'project_id': instance.project_id})
 
         support_abort_in_queue = api_version_request.is_supported(req, '2.65')
 
-        instance = common.get_instance(self.compute_api, context, server_id)
         try:
             self.compute_api.live_migrate_abort(
                 context, instance, id,

nova/tests/unit/policies/test_server_migrations.py

@@ -17,6 +17,7 @@ from oslo_utils.fixture import uuidsentinel as uuids
 
 from nova.api.openstack.compute import server_migrations
 from nova.compute import vm_states
+from nova.policies import base as base_policy
 from nova.policies import servers_migrations as policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@@ -156,3 +157,52 @@ class ServerMigrationsNoLegacyPolicyTest(ServerMigrationsScopeTypePolicyTest):
             self.other_project_member_context,
             self.project_foo_context, self.project_reader_context
         ]
+
+
+class ServerMigrationsOverridePolicyTest(ServerMigrationsNoLegacyPolicyTest):
+    """Test Server Migrations APIs policies with system and project scoped
+    but default to system roles only are allowed for project roles
+    if override by operators. This test is with system scope enable
+    and no more deprecated rules.
+    """
+
+    def setUp(self):
+        super(ServerMigrationsOverridePolicyTest, self).setUp()
+        rule_show = policies.POLICY_ROOT % 'show'
+        rule_list = policies.POLICY_ROOT % 'index'
+        rule_force = policies.POLICY_ROOT % 'force_complete'
+        rule_delete = policies.POLICY_ROOT % 'delete'
+        # NOTE(gmann): override the rule to project member and verify it
+        # work as policy is system and projct scoped.
+        self.policy.set_rules({
+            rule_show: base_policy.PROJECT_READER_OR_SYSTEM_READER,
+            rule_list: base_policy.PROJECT_READER_OR_SYSTEM_READER,
+            rule_force: base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+            rule_delete: base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN},
+            overwrite=False)
+
+        # Check that system admin or project scoped role as override above
+        # is able to migrate the server
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system admin or project role is not able to
+        # migrate the server
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]
+        # Check that system reader is able to perform operations
+        # for server migrations.
+        self.reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context, self.project_admin_context,
+            self.project_member_context, self.project_reader_context]
+        # Check that non-system-reader is not able to perform operations
+        # for server migrations.
+        self.reader_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_foo_context,
+            self.other_project_member_context, self.project_foo_context
+        ]