Merge "Pass the actual target in server migration policy"
This commit is contained in:
commit
bea6e368a6
|
@ -72,9 +72,10 @@ class ServerMigrationsController(wsgi.Controller):
|
|||
@validation.schema(server_migrations.force_complete)
|
||||
def _force_complete(self, req, id, server_id, body):
|
||||
context = req.environ['nova.context']
|
||||
context.can(sm_policies.POLICY_ROOT % 'force_complete')
|
||||
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
context.can(sm_policies.POLICY_ROOT % 'force_complete',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
try:
|
||||
self.compute_api.live_migrate_force_complete(context, instance, id)
|
||||
except exception.InstanceNotFound as e:
|
||||
|
@ -94,11 +95,12 @@ class ServerMigrationsController(wsgi.Controller):
|
|||
def index(self, req, server_id):
|
||||
"""Return all migrations of an instance in progress."""
|
||||
context = req.environ['nova.context']
|
||||
context.can(sm_policies.POLICY_ROOT % 'index')
|
||||
|
||||
# NOTE(Shaohe Feng) just check the instance is available. To keep
|
||||
# consistency with other API, check it before get migrations.
|
||||
common.get_instance(self.compute_api, context, server_id)
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
|
||||
context.can(sm_policies.POLICY_ROOT % 'index',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
migrations = self.compute_api.get_migrations_in_progress_by_instance(
|
||||
context, server_id, 'live-migration')
|
||||
|
@ -115,11 +117,12 @@ class ServerMigrationsController(wsgi.Controller):
|
|||
def show(self, req, server_id, id):
|
||||
"""Return the migration of an instance in progress by id."""
|
||||
context = req.environ['nova.context']
|
||||
context.can(sm_policies.POLICY_ROOT % 'show')
|
||||
|
||||
# NOTE(Shaohe Feng) just check the instance is available. To keep
|
||||
# consistency with other API, check it before get migrations.
|
||||
common.get_instance(self.compute_api, context, server_id)
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
|
||||
context.can(sm_policies.POLICY_ROOT % 'show',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
try:
|
||||
migration = self.compute_api.get_migration_by_id_and_instance(
|
||||
|
@ -153,11 +156,12 @@ class ServerMigrationsController(wsgi.Controller):
|
|||
def delete(self, req, server_id, id):
|
||||
"""Abort an in progress migration of an instance."""
|
||||
context = req.environ['nova.context']
|
||||
context.can(sm_policies.POLICY_ROOT % 'delete')
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
context.can(sm_policies.POLICY_ROOT % 'delete',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
support_abort_in_queue = api_version_request.is_supported(req, '2.65')
|
||||
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
try:
|
||||
self.compute_api.live_migrate_abort(
|
||||
context, instance, id,
|
||||
|
|
|
@ -17,6 +17,7 @@ from oslo_utils.fixture import uuidsentinel as uuids
|
|||
|
||||
from nova.api.openstack.compute import server_migrations
|
||||
from nova.compute import vm_states
|
||||
from nova.policies import base as base_policy
|
||||
from nova.policies import servers_migrations as policies
|
||||
from nova.tests.unit.api.openstack import fakes
|
||||
from nova.tests.unit import fake_instance
|
||||
|
@ -156,3 +157,52 @@ class ServerMigrationsNoLegacyPolicyTest(ServerMigrationsScopeTypePolicyTest):
|
|||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
|
||||
class ServerMigrationsOverridePolicyTest(ServerMigrationsNoLegacyPolicyTest):
|
||||
"""Test Server Migrations APIs policies with system and project scoped
|
||||
but default to system roles only are allowed for project roles
|
||||
if override by operators. This test is with system scope enable
|
||||
and no more deprecated rules.
|
||||
"""
|
||||
|
||||
def setUp(self):
|
||||
super(ServerMigrationsOverridePolicyTest, self).setUp()
|
||||
rule_show = policies.POLICY_ROOT % 'show'
|
||||
rule_list = policies.POLICY_ROOT % 'index'
|
||||
rule_force = policies.POLICY_ROOT % 'force_complete'
|
||||
rule_delete = policies.POLICY_ROOT % 'delete'
|
||||
# NOTE(gmann): override the rule to project member and verify it
|
||||
# work as policy is system and projct scoped.
|
||||
self.policy.set_rules({
|
||||
rule_show: base_policy.PROJECT_READER_OR_SYSTEM_READER,
|
||||
rule_list: base_policy.PROJECT_READER_OR_SYSTEM_READER,
|
||||
rule_force: base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||
rule_delete: base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN},
|
||||
overwrite=False)
|
||||
|
||||
# Check that system admin or project scoped role as override above
|
||||
# is able to migrate the server
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context,
|
||||
self.project_admin_context, self.project_member_context]
|
||||
# Check that non-system admin or project role is not able to
|
||||
# migrate the server
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
# Check that system reader is able to perform operations
|
||||
# for server migrations.
|
||||
self.reader_authorized_contexts = [
|
||||
self.system_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context]
|
||||
# Check that non-system-reader is not able to perform operations
|
||||
# for server migrations.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_foo_context
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue