Browse Source

Merge "Add new default roles in shelve server policies"

tags/21.0.0.0rc1
Zuul 3 months ago
committed by Gerrit Code Review
parent
commit
dd44293b6f
2 changed files with 39 additions and 3 deletions
  1. +3
    -3
      nova/policies/shelve.py
  2. +36
    -0
      nova/tests/unit/policies/test_shelve.py

+ 3
- 3
nova/policies/shelve.py View File

@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s'
shelve_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'shelve',
check_str=base.RULE_ADMIN_OR_OWNER,
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
description="Shelve server",
operations=[
{
@@ -35,7 +35,7 @@ shelve_policies = [
scope_types=['system', 'project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'unshelve',
check_str=base.RULE_ADMIN_OR_OWNER,
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
description="Unshelve (restore) shelved server",
operations=[
{
@@ -46,7 +46,7 @@ shelve_policies = [
scope_types=['system', 'project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'shelve_offload',
check_str=base.RULE_ADMIN_API,
check_str=base.SYSTEM_ADMIN,
description="Shelf-offload (remove) server",
operations=[
{


+ 36
- 0
nova/tests/unit/policies/test_shelve.py View File

@@ -135,3 +135,39 @@ class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
def setUp(self):
super(ShelveServerScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")


class ShelveServerNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
"""Test Shelve Server APIs policies with system scope enabled,
and no more deprecated rules.
"""
without_deprecated_rules = True

def setUp(self):
super(ShelveServerNoLegacyPolicyTest, self).setUp()

# Check that system admin or and owner is able to shelve/unshelve
# the server.
self.admin_or_owner_authorized_contexts = [
self.system_admin_context,
self.project_admin_context, self.project_member_context]
# Check that non-system/admin/owner is not able to shelve/unshelve
# the server.
self.admin_or_owner_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.other_project_member_context, self.project_reader_context,
self.project_foo_context
]
# Check that system admin is able to shelve offload the server.
self.admin_authorized_contexts = [
self.system_admin_context
]
# Check that non system admin is not able to shelve offload the server
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context
]

Loading…
Cancel
Save