Merge "Add new default roles in shelve server policies"
This commit is contained in:
commit
dd44293b6f
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s'
|
||||||
shelve_policies = [
|
shelve_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'shelve',
|
name=POLICY_ROOT % 'shelve',
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
description="Shelve server",
|
description="Shelve server",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -35,7 +35,7 @@ shelve_policies = [
|
||||||
scope_types=['system', 'project']),
|
scope_types=['system', 'project']),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'unshelve',
|
name=POLICY_ROOT % 'unshelve',
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
description="Unshelve (restore) shelved server",
|
description="Unshelve (restore) shelved server",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -46,7 +46,7 @@ shelve_policies = [
|
||||||
scope_types=['system', 'project']),
|
scope_types=['system', 'project']),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'shelve_offload',
|
name=POLICY_ROOT % 'shelve_offload',
|
||||||
check_str=base.RULE_ADMIN_API,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
description="Shelf-offload (remove) server",
|
description="Shelf-offload (remove) server",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
|
|
@ -135,3 +135,39 @@ class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(ShelveServerScopeTypePolicyTest, self).setUp()
|
super(ShelveServerScopeTypePolicyTest, self).setUp()
|
||||||
self.flags(enforce_scope=True, group="oslo_policy")
|
self.flags(enforce_scope=True, group="oslo_policy")
|
||||||
|
|
||||||
|
|
||||||
|
class ShelveServerNoLegacyPolicyTest(ShelveServerScopeTypePolicyTest):
|
||||||
|
"""Test Shelve Server APIs policies with system scope enabled,
|
||||||
|
and no more deprecated rules.
|
||||||
|
"""
|
||||||
|
without_deprecated_rules = True
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ShelveServerNoLegacyPolicyTest, self).setUp()
|
||||||
|
|
||||||
|
# Check that system admin or and owner is able to shelve/unshelve
|
||||||
|
# the server.
|
||||||
|
self.admin_or_owner_authorized_contexts = [
|
||||||
|
self.system_admin_context,
|
||||||
|
self.project_admin_context, self.project_member_context]
|
||||||
|
# Check that non-system/admin/owner is not able to shelve/unshelve
|
||||||
|
# the server.
|
||||||
|
self.admin_or_owner_unauthorized_contexts = [
|
||||||
|
self.legacy_admin_context, self.system_member_context,
|
||||||
|
self.system_reader_context, self.system_foo_context,
|
||||||
|
self.other_project_member_context, self.project_reader_context,
|
||||||
|
self.project_foo_context
|
||||||
|
]
|
||||||
|
# Check that system admin is able to shelve offload the server.
|
||||||
|
self.admin_authorized_contexts = [
|
||||||
|
self.system_admin_context
|
||||||
|
]
|
||||||
|
# Check that non system admin is not able to shelve offload the server
|
||||||
|
self.admin_unauthorized_contexts = [
|
||||||
|
self.legacy_admin_context, self.project_admin_context,
|
||||||
|
self.system_member_context, self.system_reader_context,
|
||||||
|
self.system_foo_context, self.project_member_context,
|
||||||
|
self.project_reader_context, self.project_foo_context,
|
||||||
|
self.other_project_member_context
|
||||||
|
]
|
||||||
|
|
Loading…
Reference in New Issue