Add new default roles in os-console-output policies

This adds new defaults roles in os-admin-password API policies. This policy is default to owner or system admin role. Also add tests to simulates the future where we drop the deprecation fall back in the policy by overriding the rules with a version where there are no deprecated rule options. Operators can do the same by adding overrides in their policy files that match the default but stop the rule deprecation fallback from happening. Partial implement blueprint policy-defaults-refresh Change-Id: Icadf5e1a05a93ad1524b2c519f1cc56a65156d8c
2020-02-10 20:40:17 -06:00 · 2020-02-10 20:40:17 -06:00 · cae41d68cf
commit cae41d68cf
parent 5b97df7237
2 changed files with 27 additions and 1 deletions
--- a/nova/policies/console_output.py
+++ b/nova/policies/console_output.py
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output'
 console_output_policies = [
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description='Show console output for a server',
        operations=[
            {
--- a/nova/tests/unit/policies/test_console_output.py
+++ b/nova/tests/unit/policies/test_console_output.py
@ -82,3 +82,29 @@ class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
    def setUp(self):
        super(ConsoleOutputScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class ConsoleOutputNoLegacyPolicyTest(ConsoleOutputPolicyTest):
+    """Test Console Output APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system_admin_or_owner APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ConsoleOutputNoLegacyPolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system or projct admin or owner is able to
+        # get the server console.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system and non-admin/owner is not able to
+        # get the server console.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_reader_context,
+            self.project_foo_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context]