Merge "Add new default roles in shelve server policies"

2020-04-10 00:18:50 +00:00 · 2020-04-10 00:18:50 +00:00 · dd44293b6f
parent f4c5216372 cd470539ed
commit dd44293b6f
2 changed files with 39 additions and 3 deletions
--- a/nova/policies/shelve.py
+++ b/nova/policies/shelve.py
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s'
 shelve_policies = [
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'shelve',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Shelve server",
        operations=[
            {
@ -35,7 +35,7 @@ shelve_policies = [
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'unshelve',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Unshelve (restore) shelved server",
        operations=[
            {
@ -46,7 +46,7 @@ shelve_policies = [
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'shelve_offload',
-        check_str=base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_ADMIN,
        description="Shelf-offload (remove) server",
        operations=[
            {
--- a/nova/tests/unit/policies/test_shelve.py
+++ b/nova/tests/unit/policies/test_shelve.py
@ -135,3 +135,39 @@ class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
    def setUp(self):
        super(ShelveServerScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class ShelveServerNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
+    """Test Shelve Server APIs policies with system scope enabled,
+    and no more deprecated rules.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ShelveServerNoLegacyPolicyTest, self).setUp()
+
+        # Check that system admin or and owner is able to shelve/unshelve
+        # the server.
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system/admin/owner is not able to shelve/unshelve
+        # the server.
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.other_project_member_context, self.project_reader_context,
+            self.project_foo_context
+        ]
+        # Check that system admin is able to shelve offload the server.
+        self.admin_authorized_contexts = [
+            self.system_admin_context
+        ]
+        # Check that non system admin is not able to shelve offload the server
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]