openstack/nova
Code Issues Proposed changes

Remove all discoverable policy rules

Browse Source 
We have signaled many times the use of API extensions to change the API
has been deprecated, including:
04f8612aa9

This patch ensures we no longer check any of the discoverable rules when
compiling the list of extensions to list in the API. This stops users
from being able to use policy to hide certain API extensions. This was
never that useful, but now you can't turn any extensions off and we
report the API version number, it is basically useless.

Note the change in the policy cmd unit test is to ensure now there are
no rules that use the ANY rule, we correctly check we return an empty
list of rules that match.

blueprint remove-discoverable-policy-rules

Change-Id: I61d8063708731133177534888ba7f5f05a6bd901
This commit is contained in:
John Garbutt 2017-04-25 10:16:50 +01:00
parent 671eb66f3d
commit d3b647a000
89 changed files with 29 additions and 797 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
nova/api/openstack/compute/extension_info.py
View File

@ -43,7 +43,6 @@ from nova.api.openstack.compute import suspend_server
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import exception
from nova.policies import base as base_policies
from nova.policies import extensions as ext_policies
ALIAS = 'extensions'
@ -270,7 +269,7 @@ class ExtensionInfoController(wsgi.Controller):
def _create_fake_ext(self, name, alias, description=""):
return FakeExtension(name, alias, description)
def _add_vif_extension(self, discoverable_extensions):
def _add_vif_extension(self, all_extensions):
vif_extension = {}
vif_extension_info = {'name': 'ExtendedVIFNet',
'alias': 'OS-EXT-VIF-NET',
@ -279,15 +278,15 @@ class ExtensionInfoController(wsgi.Controller):
vif_extension[vif_extension_info["alias"]] = self._create_fake_ext(
vif_extension_info["name"], vif_extension_info["alias"],
vif_extension_info["description"])
discoverable_extensions.update(vif_extension)
all_extensions.update(vif_extension)
def _get_extensions(self, context):
"""Filter extensions list based on policy."""
discoverable_extensions = dict()
all_extensions = dict()
for item in hardcoded_extensions:
discoverable_extensions[item['alias']] = self._create_fake_ext(
all_extensions[item['alias']] = self._create_fake_ext(
item['name'],
item['alias'],
item['description']
@ -295,63 +294,51 @@ class ExtensionInfoController(wsgi.Controller):
for ext_cls in unused_extension_objs:
ext = ext_cls(None)
action = ':'.join([
base_policies.COMPUTE_API, ext.alias, 'discoverable'])
if context.can(action, fatal=False):
discoverable_extensions[ext.alias] = ext
else:
LOG.debug("Filter out extension %s from discover list",
ext.alias)
all_extensions[ext.alias] = ext
for alias, ext in self.extension_info.get_extensions().items():
action = ':'.join([
base_policies.COMPUTE_API, alias, 'discoverable'])
if context.can(action, fatal=False):
discoverable_extensions[alias] = ext
else:
LOG.debug("Filter out extension %s from discover list",
alias)
all_extensions[alias] = ext
# Add fake v2 extensions to list
extra_exts = {}
for alias in discoverable_extensions:
for alias in all_extensions:
if alias in v21_to_v2_extension_list_mapping:
for extra_ext in v21_to_v2_extension_list_mapping[alias]:
extra_exts[extra_ext["alias"]] = self._create_fake_ext(
extra_ext["name"], extra_ext["alias"],
extra_ext["description"])
discoverable_extensions.update(extra_exts)
all_extensions.update(extra_exts)
# Suppress extensions which we don't want to see in v2
for suppress_ext in v2_extension_suppress_list:
try:
del discoverable_extensions[suppress_ext]
del all_extensions[suppress_ext]
except KeyError:
pass
# v2.1 to v2 extension name mapping
for rename_ext in v21_to_v2_alias_mapping:
if rename_ext in discoverable_extensions:
if rename_ext in all_extensions:
new_name = v21_to_v2_alias_mapping[rename_ext]
mod_ext = copy.deepcopy(
discoverable_extensions.pop(rename_ext))
all_extensions.pop(rename_ext))
mod_ext.alias = new_name
discoverable_extensions[new_name] = mod_ext
all_extensions[new_name] = mod_ext
return discoverable_extensions
return all_extensions
@extensions.expected_errors(())
def index(self, req):
context = req.environ['nova.context']
context.can(ext_policies.BASE_POLICY_NAME)
discoverable_extensions = self._get_extensions(context)
all_extensions = self._get_extensions(context)
# NOTE(gmann): This is for v2.1 compatible mode where
# extension list should show all extensions as shown by v2.
# Here we add VIF extension which has been removed from v2.1 list.
if req.is_legacy_v2():
self._add_vif_extension(discoverable_extensions)
self._add_vif_extension(all_extensions)
sorted_ext_list = sorted(
discoverable_extensions.items())
all_extensions.items())
extensions = []
for _alias, ext in sorted_ext_list:

18
nova/policies/__init__.py
View File

@ -22,8 +22,6 @@ from nova.policies import attach_interfaces
from nova.policies import availability_zone
from nova.policies import baremetal_nodes
from nova.policies import base
from nova.policies import block_device_mapping
from nova.policies import block_device_mapping_v1
from nova.policies import cells
from nova.policies import cells_scheduler
from nova.policies import certificates
@ -39,7 +37,6 @@ from nova.policies import extended_availability_zone
from nova.policies import extended_server_attributes
from nova.policies import extended_status
from nova.policies import extended_volumes
from nova.policies import extension_info
from nova.policies import extensions
from nova.policies import fixed_ips
from nova.policies import flavor_access
@ -55,9 +52,7 @@ from nova.policies import fping
from nova.policies import hide_server_addresses
from nova.policies import hosts
from nova.policies import hypervisors
from nova.policies import image_metadata
from nova.policies import image_size
from nova.policies import images
from nova.policies import instance_actions
from nova.policies import instance_usage_audit_log
from nova.policies import ips
@ -67,7 +62,6 @@ from nova.policies import lock_server
from nova.policies import migrate_server
from nova.policies import migrations
from nova.policies import multinic
from nova.policies import multiple_create
from nova.policies import networks
from nova.policies import networks_associate
from nova.policies import pause_server
@ -75,7 +69,6 @@ from nova.policies import quota_class_sets
from nova.policies import quota_sets
from nova.policies import remote_consoles
from nova.policies import rescue
from nova.policies import scheduler_hints
from nova.policies import security_group_default_rules
from nova.policies import security_groups
from nova.policies import server_diagnostics
@ -93,8 +86,6 @@ from nova.policies import simple_tenant_usage
from nova.policies import suspend_server
from nova.policies import tenant_networks
from nova.policies import used_limits
from nova.policies import user_data
from nova.policies import versions
from nova.policies import virtual_interfaces
from nova.policies import volumes
from nova.policies import volumes_attachments
@ -111,8 +102,6 @@ def list_rules():
availability_zone.list_rules(),
baremetal_nodes.list_rules(),
base.list_rules(),
block_device_mapping.list_rules(),
block_device_mapping_v1.list_rules(),
cells.list_rules(),
cells_scheduler.list_rules(),
certificates.list_rules(),
@ -128,7 +117,6 @@ def list_rules():
extended_server_attributes.list_rules(),
extended_status.list_rules(),
extended_volumes.list_rules(),
extension_info.list_rules(),
extensions.list_rules(),
fixed_ips.list_rules(),
flavor_access.list_rules(),
@ -144,9 +132,7 @@ def list_rules():
hide_server_addresses.list_rules(),
hosts.list_rules(),
hypervisors.list_rules(),
image_metadata.list_rules(),
image_size.list_rules(),
images.list_rules(),
instance_actions.list_rules(),
instance_usage_audit_log.list_rules(),
ips.list_rules(),
@ -156,7 +142,6 @@ def list_rules():
migrate_server.list_rules(),
migrations.list_rules(),
multinic.list_rules(),
multiple_create.list_rules(),
networks.list_rules(),
networks_associate.list_rules(),
pause_server.list_rules(),
@ -164,7 +149,6 @@ def list_rules():
quota_sets.list_rules(),
remote_consoles.list_rules(),
rescue.list_rules(),
scheduler_hints.list_rules(),
security_group_default_rules.list_rules(),
security_groups.list_rules(),
server_diagnostics.list_rules(),
@ -182,8 +166,6 @@ def list_rules():
suspend_server.list_rules(),
tenant_networks.list_rules(),
used_limits.list_rules(),
user_data.list_rules(),
versions.list_rules(),
virtual_interfaces.list_rules(),
volumes.list_rules(),
volumes_attachments.list_rules()

6
nova/policies/admin_actions.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-admin-actions'
POLICY_ROOT = 'os_compute_api:os-admin-actions:%s'
admin_actions_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'reset_state',
base.RULE_ADMIN_API,

6
nova/policies/admin_password.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-admin-password'
POLICY_ROOT = 'os_compute_api:os-admin-password:%s'
admin_password_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/agents.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-agents'
POLICY_ROOT = 'os_compute_api:os-agents:%s'
agents_policies = [
@ -35,9 +32,6 @@ XenAPI guest agent on instance boot.
{'path': '/os-agents', 'method': 'POST'},
{'path': '/os-agents/{agent_build_id}', 'method': 'PUT'},
{'path': '/os-agents/{agent_build_id}', 'method': 'DELETE'}]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/aggregates.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -42,9 +40,6 @@ aggregates_policies = [
'method': 'POST'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,

5
nova/policies/assisted_volume_snapshots.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -42,9 +40,6 @@ assisted_volume_snapshots_policies = [
'method': 'DELETE'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/attach_interfaces.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -38,9 +36,6 @@ interface attached to a server",
'path': '/servers/{server_id}/os-interface/{port_id}'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,

5
nova/policies/availability_zone.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -32,9 +30,6 @@ availability_zone_policies = [
'path': 'os-availability-zone'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'detail',
base.RULE_ADMIN_API,

6
nova/policies/baremetal_nodes.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes'
POLICY_ROOT = 'os_compute_api:os-baremetal-nodes:%s'
baremetal_nodes_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,

32
nova/policies/block_device_mapping.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-block-device-mapping:%s'
block_device_mapping_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return block_device_mapping_policies

32
nova/policies/block_device_mapping_v1.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-block-device-mapping-v1:%s'
block_device_mapping_v1_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return block_device_mapping_v1_policies

5
nova/policies/cells.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -23,9 +21,6 @@ POLICY_ROOT = 'os_compute_api:os-cells:%s'
cells_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,

5
nova/policies/certificates.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -22,9 +20,6 @@ POLICY_ROOT = 'os_compute_api:os-certificates:%s'
certificates_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/cloudpipe.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-cloudpipe'
POLICY_ROOT = 'os_compute_api:os-cloudpipe:%s'
cloudpipe_policies = [
@ -45,9 +42,6 @@ itself is deprecated.
'path': '/os-cloudpipe/configure-project'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/config_drive.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-config-drive'
POLICY_ROOT = 'os_compute_api:os-config-drive:%s'
config_drive_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

6
nova/policies/console_auth_tokens.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
POLICY_ROOT = 'os_compute_api:os-console-auth-tokens:%s'
console_auth_tokens_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,

6
nova/policies/console_output.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-console-output'
POLICY_ROOT = 'os_compute_api:os-console-output:%s'
console_output_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

5
nova/policies/consoles.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -52,9 +50,6 @@ consoles_policies = [
'path': '/servers/{server_id}/consoles/{console_id}'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/create_backup.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
POLICY_ROOT = 'os_compute_api:os-create-backup:%s'
create_backup_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/deferred_delete.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete'
POLICY_ROOT = 'os_compute_api:os-deferred-delete:%s'
deferred_delete_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/evacuate.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-evacuate'
POLICY_ROOT = 'os_compute_api:os-evacuate:%s'
evacuate_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,

4
nova/policies/extended_availability_zone.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-availability-zone'
POLICY_ROOT = 'os_compute_api:os-extended-availability-zone:%s'
extended_availability_zone_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/extended_server_attributes.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
POLICY_ROOT = 'os_compute_api:os-extended-server-attributes:%s'
extended_server_attributes_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/extended_status.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-status'
POLICY_ROOT = 'os_compute_api:os-extended-status:%s'
extended_status_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

4
nova/policies/extended_volumes.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-volumes'
POLICY_ROOT = 'os_compute_api:os-extended-volumes:%s'
extended_volumes_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

32
nova/policies/extension_info.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:extension_info:%s'
extension_info_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return extension_info_policies

4
nova/policies/extensions.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:extensions'
POLICY_ROOT = 'os_compute_api:extensions:%s'
extensions_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/fixed_ips.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-fixed-ips'
POLICY_ROOT = 'os_compute_api:os-fixed-ips:%s'
fixed_ips_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),

3
nova/policies/flavor_access.py
View File

@ -26,9 +26,6 @@ flavor_access_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'add_tenant_access',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'remove_tenant_access',
check_str=base.RULE_ADMIN_API),

5
nova/policies/flavor_extra_specs.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -45,9 +43,6 @@ flavor_extra_specs_policies = [
}
]
),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,

4
nova/policies/flavor_manage.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
POLICY_ROOT = 'os_compute_api:os-flavor-manage:%s'
flavor_manage_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/flavor_rxtx.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-rxtx'
POLICY_ROOT = 'os_compute_api:os-flavor-rxtx:%s'
flavor_rxtx_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/flavors.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:flavors'
POLICY_ROOT = 'os_compute_api:flavors:%s'
flavors_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

3
nova/policies/floating_ip_dns.py
View File

@ -29,9 +29,6 @@ floating_ip_dns_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'domain:update',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'domain:delete',
check_str=base.RULE_ADMIN_API),

4
nova/policies/floating_ip_pools.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools'
POLICY_ROOT = 'os_compute_api:os-floating-ip-pools:%s'
floating_ip_pools_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

4
nova/policies/floating_ips.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-floating-ips'
POLICY_ROOT = 'os_compute_api:os-floating-ips:%s'
floating_ips_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/floating_ips_bulk.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-floating-ips-bulk'
POLICY_ROOT = 'os_compute_api:os-floating-ips-bulk:%s'
floating_ips_bulk_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),

3
nova/policies/fping.py
View File

@ -26,9 +26,6 @@ fping_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'all_tenants',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

6
nova/policies/hide_server_addresses.py
View File

@ -15,17 +15,11 @@
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-hide-server-addresses'
POLICY_ROOT = 'os_compute_api:os-hide-server-addresses:%s'
hide_server_addresses_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str='is_admin:False'),

4
nova/policies/hosts.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-hosts'
POLICY_ROOT = 'os_compute_api:os-hosts:%s'
hosts_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),

6
nova/policies/hypervisors.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-hypervisors'
POLICY_ROOT = 'os_compute_api:os-hypervisors:%s'
hypervisors_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,

32
nova/policies/image_metadata.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:image-metadata:%s'
image_metadata_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return image_metadata_policies

4
nova/policies/image_size.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:image-size'
POLICY_ROOT = 'os_compute_api:image-size:%s'
image_size_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

32
nova/policies/images.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:images:%s'
images_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return images_policies

3
nova/policies/instance_actions.py
View File

@ -29,9 +29,6 @@ instance_actions_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/instance_usage_audit_log.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'
POLICY_ROOT = 'os_compute_api:os-instance-usage-audit-log:%s'
instance_usage_audit_log_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

3
nova/policies/ips.py
View File

@ -22,9 +22,6 @@ POLICY_ROOT = 'os_compute_api:ips:%s'
ips_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.RULE_ADMIN_OR_OWNER),

3
nova/policies/keypairs.py
View File

@ -23,9 +23,6 @@ POLICY_ROOT = 'os_compute_api:os-keypairs:%s'
keypairs_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'index',
'rule:admin_api or user_id:%(user_id)s',

4
nova/policies/limits.py
View File

@ -19,13 +19,9 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:limits'
POLICY_ROOT = 'os_compute_api:limits:%s'
limits_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),

5
nova/policies/lock_server.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -22,9 +20,6 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
lock_server_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'lock',
base.RULE_ADMIN_OR_OWNER,

3
nova/policies/migrate_server.py
View File

@ -25,9 +25,6 @@ migrate_server_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'migrate',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'migrate_live',
check_str=base.RULE_ADMIN_API),

3
nova/policies/migrations.py
View File

@ -25,9 +25,6 @@ migrations_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

4
nova/policies/multinic.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-multinic'
POLICY_ROOT = 'os_compute_api:os-multinic:%s'
multinic_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

32
nova/policies/multiple_create.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-multiple-create:%s'
multiple_create_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return multiple_create_policies

3
nova/policies/networks.py
View File

@ -23,9 +23,6 @@ POLICY_ROOT = 'os_compute_api:os-networks:%s'
networks_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),

4
nova/policies/networks_associate.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-networks-associate'
POLICY_ROOT = 'os_compute_api:os-networks-associate:%s'
networks_associate_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/pause_server.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -22,9 +20,6 @@ POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
pause_server_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'pause',
base.RULE_ADMIN_OR_OWNER,

3
nova/policies/quota_class_sets.py
View File

@ -25,9 +25,6 @@ quota_class_sets_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'show',
check_str='is_admin:True or quota_class:%(quota_class)s'),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.RULE_ADMIN_API),

5
nova/policies/quota_sets.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -62,9 +60,6 @@ quota_sets_policies = [
'path': '/os-quota-sets/{tenant_id}'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'detail',
base.RULE_ADMIN_API,

6
nova/policies/remote_consoles.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles'
POLICY_ROOT = 'os_compute_api:os-remote-consoles:%s'
remote_consoles_policies = [
@ -49,9 +46,6 @@ remote_consoles_policies = [
'path': '/servers/{server_id}/remote-consoles'
},
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

6
nova/policies/rescue.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-rescue'
POLICY_ROOT = 'os_compute_api:os-rescue:%s'
rescue_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

32
nova/policies/scheduler_hints.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-scheduler-hints:%s'
scheduler_hints_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return scheduler_hints_policies

6
nova/policies/security_group_default_rules.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-security-group-default-rules'
POLICY_ROOT = 'os_compute_api:os-security-group-default-rules:%s'
security_group_default_rules_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,

6
nova/policies/security_groups.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-security-groups'
POLICY_ROOT = 'os_compute_api:os-security-groups:%s'
security_groups_policies = [
@ -83,9 +80,6 @@ server representation""",
'path': '/servers/detail'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

6
nova/policies/server_diagnostics.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics'
POLICY_ROOT = 'os_compute_api:os-server-diagnostics:%s'
server_diagnostics_policies = [
@ -33,9 +30,6 @@ server_diagnostics_policies = [
'path': '/servers/{server_id}/diagnostics'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/server_external_events.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -32,9 +30,6 @@ server_external_events_policies = [
'path': '/os-server-external-events'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

3
nova/policies/server_groups.py
View File

@ -24,9 +24,6 @@ BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME
server_groups_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
# TODO(Kevin_Zheng): remove this rule as this not used by any API
policy.RuleDefault(
name=BASE_POLICY_NAME,

5
nova/policies/server_metadata.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -22,9 +20,6 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s'
server_metadata_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/server_password.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-server-password'
POLICY_ROOT = 'os_compute_api:os-server-password:%s'
server_password_policies = [
@ -37,9 +34,6 @@ server_password_policies = [
'path': '/servers/{server_id}/os-server-password'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/server_tags.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -86,9 +84,6 @@ server_tags_policies = [
}
]
),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY)
]

4
nova/policies/server_usage.py
View File

@ -19,16 +19,12 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-server-usage'
POLICY_ROOT = 'os_compute_api:os-server-usage:%s'
server_usage_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

3
nova/policies/servers.py
View File

@ -11,8 +11,6 @@
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -246,7 +244,6 @@ rules = [
'path': '/servers/{server_id}/action (trigger_crash_dump)'
}
]),
policy.RuleDefault(SERVERS % 'discoverable', base.RULE_ANY),
]

5
nova/policies/servers_migrations.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -63,9 +61,6 @@ servers_migrations_policies = [
'path': '/servers/{server_id}/migrations'
}
]),
policy.RuleDefault(
name='os_compute_api:server-migrations:discoverable',
check_str=base.RULE_ANY),
]

6
nova/policies/services.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-services'
POLICY_ROOT = 'os_compute_api:os-services:%s'
services_policies = [
@ -56,9 +53,6 @@ deletes a Compute service.""",
'path': '/os-services/{service_id}'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/shelve.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -52,9 +50,6 @@ shelve_policies = [
'path': '/servers/{server_id}/action (shelveOffload)'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/simple_tenant_usage.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -42,9 +40,6 @@ simple_tenant_usage_policies = [
'path': '/os-simple-tenant-usage'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

5
nova/policies/suspend_server.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -42,9 +40,6 @@ suspend_server_policies = [
'path': '/servers/{server_id}/action (suspend)'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

6
nova/policies/tenant_networks.py
View File

@ -13,13 +13,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-tenant-networks'
POLICY_ROOT = 'os_compute_api:os-tenant-networks:%s'
tenant_networks_policies = [
@ -53,9 +50,6 @@ deprecated.""",
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]

6
nova/policies/used_limits.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-used-limits'
POLICY_ROOT = 'os_compute_api:os-used-limits:%s'
used_limits_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
# TODO(aunnam): Remove this rule after we seperate the scope check from
# policies, as this is only checking the scope.
base.create_rule_default(

32
nova/policies/user_data.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-user-data:%s'
user_data_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return user_data_policies

32
nova/policies/versions.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:versions:%s'
versions_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return versions_policies

6
nova/policies/virtual_interfaces.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-virtual-interfaces'
POLICY_ROOT = 'os_compute_api:os-virtual-interfaces:%s'
virtual_interfaces_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

6
nova/policies/volumes.py
View File

@ -13,19 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-volumes'
POLICY_ROOT = 'os_compute_api:os-volumes:%s'
volumes_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,

5
nova/policies/volumes_attachments.py
View File

@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@ -52,9 +50,6 @@ volumes_attachments_policies = [
'/servers/{server_id}/os-volume_attachments/{attachment_id}'
}
]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,

28
nova/tests/unit/api/openstack/compute/test_extension_info.py
View File

@ -58,10 +58,6 @@ simulated_extension_list = {
}
def fake_policy_authorize_selective(context, action, target):
return action != 'os_compute_api:ext1-alias:discoverable'
class ExtensionInfoTest(test.NoDBTestCase):
def setUp(self):
@ -107,30 +103,6 @@ class ExtensionInfoTest(test.NoDBTestCase):
self.assertEqual(res_dict['extension']['links'], [])
self.assertEqual(6, len(res_dict['extension']))
@mock.patch.object(policy, 'authorize')
def test_extension_info_list_not_all_discoverable(self, mock_authorize):
mock_authorize.side_effect = fake_policy_authorize_selective
req = fakes.HTTPRequestV21.blank('/extensions')
res_dict = self.controller.index(req)
# NOTE(sdague): because of hardcoded extensions the count is
# going to grow, and that's fine. We'll just check that it's
# greater than the 2 that we inserted.
self.assertGreaterEqual(len(res_dict['extensions']), 2)
# NOTE(sdague): filter the extension list by only ones that
# are the fake alias names, otherwise we get errors as we
# migrate extensions into the hardcoded list.
for e in [x for x in res_dict['extensions'] if '-alias' in x['alias']]:
self.assertNotEqual('ext1-alias', e['alias'])
self.assertIn(e['alias'], fake_extensions)
self.assertEqual(e['name'], fake_extensions[e['alias']].name)
self.assertEqual(e['alias'], fake_extensions[e['alias']].alias)
self.assertEqual(e['description'],
fake_extensions[e['alias']].__doc__)
self.assertEqual(e['updated'], FAKE_UPDATED_DATE)
self.assertEqual(e['links'], [])
self.assertEqual(6, len(e))
class ExtensionInfoV21Test(test.NoDBTestCase):

5
nova/tests/unit/cmd/test_policy_check.py
View File

@ -112,8 +112,9 @@ class TestPolicyCheck(test.NoDBTestCase):
def _check_filter_rules(self, context=None, target=None,
expected_rules=None):
context = context or nova_context.get_admin_context()
expected_rules = expected_rules or [
r.name for r in ia_policies.list_rules()]
if expected_rules is None:
expected_rules = [
r.name for r in ia_policies.list_rules()]
passing_rules = self.cmd._filter_rules(
context, 'os-instance-actions', target)

83
nova/tests/unit/test_policy.py
View File

@ -440,89 +440,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
self.allow_all_rules = (
"os_compute_api:os-quota-sets:defaults",
"os_compute_api:extensions:discoverable",
"os_compute_api:os-admin-actions:discoverable",
"os_compute_api:os-admin-password:discoverable",
"os_compute_api:os-aggregates:discoverable",
"os_compute_api:os-agents:discoverable",
"os_compute_api:os-attach-interfaces:discoverable",
"os_compute_api:os-baremetal-nodes:discoverable",
"os_compute_api:os-block-device-mapping:discoverable",
"os_compute_api:os-block-device-mapping-v1:discoverable",
"os_compute_api:os-cells:discoverable",
"os_compute_api:os-certificates:discoverable",
"os_compute_api:os-cloudpipe:discoverable",
"os_compute_api:os-config-drive:discoverable",
"os_compute_api:os-consoles:discoverable",
"os_compute_api:os-console-output:discoverable",
"os_compute_api:os-remote-consoles:discoverable",
"os_compute_api:os-create-backup:discoverable",
"os_compute_api:os-deferred-delete:discoverable",
"os_compute_api:os-evacuate:discoverable",
"os_compute_api:os-extended-server-attributes:discoverable",
"os_compute_api:os-extended-status:discoverable",
"os_compute_api:os-extended-availability-zone:discoverable",
"os_compute_api:extension_info:discoverable",
"os_compute_api:os-extended-volumes:discoverable",
"os_compute_api:os-fixed-ips:discoverable",
"os_compute_api:os-flavor-access:discoverable",
"os_compute_api:os-flavor-rxtx:discoverable",
"os_compute_api:flavors:discoverable",
"os_compute_api:os-flavor-extra-specs:discoverable",
"os_compute_api:os-flavor-manage:discoverable",
"os_compute_api:os-floating-ip-dns:discoverable",
"os_compute_api:os-floating-ip-pools:discoverable",
"os_compute_api:os-floating-ips:discoverable",
"os_compute_api:os-floating-ips-bulk:discoverable",
"os_compute_api:os-fping:discoverable",
"os_compute_api:os-hide-server-addresses:discoverable",
"os_compute_api:os-hosts:discoverable",
"os_compute_api:os-hypervisors:discoverable",
"os_compute_api:images:discoverable",
"os_compute_api:image-metadata:discoverable",
"os_compute_api:image-size:discoverable",
"os_compute_api:os-instance-actions:discoverable",
"os_compute_api:os-instance-usage-audit-log:discoverable",
"os_compute_api:ips:discoverable",
"os_compute_api:os-keypairs:discoverable",
"os_compute_api:limits:discoverable",
"os_compute_api:os-lock-server:discoverable",
"os_compute_api:os-migrate-server:discoverable",
"os_compute_api:os-multinic:discoverable",
"os_compute_api:os-multiple-create:discoverable",
"os_compute_api:os-networks:discoverable",
"os_compute_api:os-networks-associate:discoverable",
"os_compute_api:os-pause-server:discoverable",
"os_compute_api:os-quota-sets:discoverable",
"os_compute_api:os-quota-class-sets:discoverable",
"os_compute_api:os-rescue:discoverable",
"os_compute_api:os-scheduler-hints:discoverable",
"os_compute_api:os-security-group-default-rules:discoverable",
"os_compute_api:os-security-groups:discoverable",
"os_compute_api:os-server-diagnostics:discoverable",
"os_compute_api:os-server-password:discoverable",
"os_compute_api:os-server-usage:discoverable",
"os_compute_api:os-server-groups:discoverable",
"os_compute_api:os-server-tags:discoverable",
"os_compute_api:os-services:discoverable",
"os_compute_api:server-metadata:discoverable",
"os_compute_api:server-migrations:discoverable",
"os_compute_api:servers:discoverable",
"os_compute_api:os-shelve:discoverable",
"os_compute_api:os-simple-tenant-usage:discoverable",
"os_compute_api:os-suspend-server:discoverable",
"os_compute_api:os-tenant-networks:discoverable",
"os_compute_api:os-user-data:discoverable",
"os_compute_api:os-virtual-interfaces:discoverable",
"os_compute_api:os-volumes:discoverable",
"os_compute_api:os-volumes-attachments:discoverable",
"os_compute_api:os-availability-zone:discoverable",
"os_compute_api:os-used-limits:discoverable",
"os_compute_api:os-migrations:discoverable",
"os_compute_api:os-assisted-volume-snapshots:discoverable",
"os_compute_api:os-console-auth-tokens:discoverable",
"os_compute_api:os-server-external-events:discoverable",
"os_compute_api:versions:discoverable",
)
def test_all_rules_in_sample_file(self):

10
releasenotes/notes/remove-discoverable-policy-rules-4a2c87e1c88a3228.yaml Normal file
View File

@ -0,0 +1,10 @@
---
upgrade:
- |
All policy rules with the following naming scheme have been
removed: ``os_compute_api:{extension_alias}:discoverable``
These policy rules were used to hide an enabled extension from the
list active API extensions API. Given it is no longer possible to
disable any API extensions, it makes no sense to have the option
to hide the fact an API extension is active. As such, all these policy
rules have been removed.