openstack/nova
Code Issues Proposed changes

Merge "Add Project Manager role context in unit tests"

Browse Source
This commit is contained in:
Zuul
2025-07-16 17:19:32 +00:00
committed by Gerrit Code Review
parent 03f41a7f8a 38f978d39a
commit f484c4089d
35 changed files with 286 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
nova/tests/unit/policies/base.py
View File

@@ -78,12 +78,13 @@ class BasePolicyTest(test.TestCase):
# all context are with implied roles.
self.legacy_admin_context = nova_context.RequestContext(
user_id="legacy_admin", project_id=self.admin_project_id,
roles=['admin', 'member', 'reader'])
roles=['admin', 'manager', 'member', 'reader'])
# system scoped users
self.system_admin_context = nova_context.RequestContext(
user_id="admin",
roles=['admin', 'member', 'reader'], system_scope='all')
roles=['admin', 'manager', 'member', 'reader'],
system_scope='all')
self.system_member_context = nova_context.RequestContext(
user_id="member",
@@ -98,7 +99,11 @@ class BasePolicyTest(test.TestCase):
# project scoped users
self.project_admin_context = nova_context.RequestContext(
user_id="project_admin", project_id=self.project_id,
roles=['admin', 'member', 'reader'])
roles=['admin', 'manager', 'member', 'reader'])
self.project_manager_context = nova_context.RequestContext(
user_id="project_manager", project_id=self.project_id,
roles=['manager', 'member', 'reader'])
self.project_member_context = nova_context.RequestContext(
user_id="project_member", project_id=self.project_id,
@@ -112,6 +117,11 @@ class BasePolicyTest(test.TestCase):
user_id="project_foo", project_id=self.project_id,
roles=['foo'])
self.other_project_manager_context = nova_context.RequestContext(
user_id="other_project_manager",
project_id=self.project_id_other,
roles=['manager', 'member', 'reader'])
self.other_project_member_context = nova_context.RequestContext(
user_id="other_project_member",
project_id=self.project_id_other,
@@ -126,16 +136,20 @@ class BasePolicyTest(test.TestCase):
self.legacy_admin_context, self.system_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.other_project_member_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_manager_context,
self.other_project_member_context,
self.project_foo_context, self.other_project_reader_context
])
# All the project contexts for easy access.
self.all_project_contexts = set([
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_manager_context,
self.other_project_member_context,
self.other_project_reader_context,
])
@@ -151,36 +165,38 @@ class BasePolicyTest(test.TestCase):
# will have access.
self.project_member_or_admin_with_no_scope_no_legacy = set([
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context,
])
# With scope enable and legacy rule, only project scoped admin
# and any role in that project will have access.
self.project_m_r_or_admin_with_scope_and_legacy = set([
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context
self.project_manager_context, self.project_member_context,
self.project_reader_context, self.project_foo_context
])
# With scope enable and no legacy rule, only project scoped admin
# and project members have access. No other role in that project
# or system scoped token will have access.
self.project_member_or_admin_with_scope_no_legacy = set([
self.legacy_admin_context, self.project_admin_context,
self.project_member_context
self.project_manager_context, self.project_member_context
])
# With scope disable and no legacy rule, any admin,
# project members, and project reader have access. No other
# role in that project will have access.
self.project_reader_or_admin_with_no_scope_no_legacy = set([
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context
])
# With scope enable and no legacy rule, only project scoped admin,
# project members, and project reader have access. No other role
# in that project or system scoped token will have access.
self.project_reader_or_admin_with_scope_no_legacy = set([
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context
self.project_manager_context, self.project_member_context,
self.project_reader_context
])
if self.without_deprecated_rules:
@@ -193,10 +209,14 @@ class BasePolicyTest(test.TestCase):
"rule:project_reader_api or rule:context_is_admin",
"project_admin_api":
"role:admin and project_id:%(project_id)s",
"project_manager_api":
"role:manager and project_id:%(project_id)s",
"project_member_api":
"role:member and project_id:%(project_id)s",
"project_reader_api":
"role:reader and project_id:%(project_id)s",
"project_manager_or_admin":
"rule:project_manager_api or rule:context_is_admin",
"project_member_or_admin":
"rule:project_member_api or rule:context_is_admin",
"project_reader_or_admin":

5
nova/tests/unit/policies/test_admin_password.py
View File

@@ -54,8 +54,9 @@ class AdminPasswordPolicyTest(base.BasePolicyTest):
# the password for their server.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.set_admin_password')
def test_change_paassword_policy(self, mock_password):

5
nova/tests/unit/policies/test_attach_interfaces.py
View File

@@ -54,8 +54,9 @@ class AttachInterfacesPolicyTest(base.BasePolicyTest):
# detach an interface from a server.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# and they can get their own server attached interfaces.
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)

5
nova/tests/unit/policies/test_console_output.py
View File

@@ -48,8 +48,9 @@ class ConsoleOutputPolicyTest(base.BasePolicyTest):
# can get the server console.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.get_console_output')
def test_console_output_policy(self, mock_console):

5
nova/tests/unit/policies/test_create_backup.py
View File

@@ -50,8 +50,9 @@ class CreateBackupPolicyTest(base.BasePolicyTest):
# server backup.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.backup')
def test_create_backup_policy(self, mock_backup):

5
nova/tests/unit/policies/test_deferred_delete.py
View File

@@ -54,8 +54,9 @@ class DeferredDeletePolicyTest(base.BasePolicyTest):
# delete or restore server.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.restore')
def test_restore_server_policy(self, mock_restore):

12
nova/tests/unit/policies/test_extensions.py
View File

@@ -32,11 +32,13 @@ class ExtensionsPolicyTest(base.BasePolicyTest):
# Check that everyone is able to get extension info.
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.everyone_unauthorized_contexts = []
@@ -73,8 +75,10 @@ class ExtensionsScopeTypePolicyTest(ExtensionsPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
self.everyone_authorized_contexts = [
self.legacy_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]

6
nova/tests/unit/policies/test_floating_ip_pools.py
View File

@@ -34,8 +34,10 @@ class FloatingIPPoolsPolicyTest(base.BasePolicyTest):
# Check that everyone is able to list FIP pools.
self.everyone_authorized_contexts = set([
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context,
self.system_member_context, self.system_reader_context,

46
nova/tests/unit/policies/test_floating_ips.py
View File

@@ -57,20 +57,24 @@ class FloatingIPPolicyTest(base.BasePolicyTest):
# of FIP then neutron will be returning the appropriate error.
self.member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
# With legacy rule and no scope checks, all admin, project members
@@ -79,8 +83,9 @@ class FloatingIPPolicyTest(base.BasePolicyTest):
# delete FIP to server.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.network.neutron.API.get_floating_ip')
def test_show_floating_ip_policy(self, mock_get):
@@ -174,16 +179,18 @@ class FloatingIPNoLegacyNoScopePolicyTest(FloatingIPPolicyTest):
# to operate on FIP.
self.member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.system_member_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.system_member_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -207,14 +214,18 @@ class FloatingIPScopeTypePolicyTest(FloatingIPPolicyTest):
self.project_m_r_or_admin_with_scope_and_legacy)
self.member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.project_member_context, self.project_manager_context,
self.project_reader_context, self.project_foo_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]
@@ -248,12 +259,15 @@ class FloatingIPScopeTypeNoLegacyPolicyTest(FloatingIPScopeTypePolicyTest):
# other roles like foo will not be able to operate FIP.
self.member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context,
self.project_manager_context, self.project_member_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]

5
nova/tests/unit/policies/test_instance_actions.py
View File

@@ -72,8 +72,9 @@ class InstanceActionsPolicyTest(base.BasePolicyTest):
# and project reader can get their server topology without host info.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
def _set_policy_rules(self, overwrite=True):
rules = {ia_policies.BASE_POLICY_NAME % 'show': '@'}

6
nova/tests/unit/policies/test_keypairs.py
View File

@@ -57,8 +57,10 @@ class KeypairsPolicyTest(base.BasePolicyTest):
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.system_foo_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_manager_context,
self.other_project_member_context,
self.other_project_reader_context,
])

8
nova/tests/unit/policies/test_limits.py
View File

@@ -127,7 +127,9 @@ class LimitsScopeTypePolicyTest(LimitsPolicyTest):
self.legacy_admin_context, self.project_admin_context]
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_member_context,
self.project_foo_context, self.other_project_reader_context
]
@@ -151,7 +153,9 @@ class LimitsScopeTypeNoLegacyPolicyTest(LimitsScopeTypePolicyTest):
self.legacy_admin_context, self.project_admin_context]
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_member_context,
self.project_foo_context, self.other_project_reader_context
]

8
nova/tests/unit/policies/test_lock_server.py
View File

@@ -59,8 +59,9 @@ class LockServerPolicyTest(base.BasePolicyTest):
# unlock the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# By default, legacy rule are enable and scope check is disabled.
# system admin, legacy admin, and project admin is able to override
@@ -191,7 +192,8 @@ class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):
# to PROJECT_MEMBER so testing it with both admin as well
# as project member as allowed context.
self.project_admin_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context]
def test_unlock_override_server_policy(self):
rule = ls_policies.POLICY_ROOT % 'unlock:unlock_override'

3
nova/tests/unit/policies/test_migrate_server.py
View File

@@ -145,4 +145,5 @@ class MigrateServerOverridePolicyTest(
# Check that project member role as override above
# is able to migrate the server
self.project_admin_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context]

5
nova/tests/unit/policies/test_multinic.py
View File

@@ -52,8 +52,9 @@ class MultinicPolicyTest(base.BasePolicyTest):
# add/remove fixed ip.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.add_fixed_ip')
def test_add_fixed_ip_policy(self, mock_add):

21
nova/tests/unit/policies/test_networks.py
View File

@@ -41,11 +41,13 @@ class NetworksPolicyTest(base.BasePolicyTest):
# of networks then neutron will be returning the appropriate error.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -83,10 +85,11 @@ class NetworksNoLegacyNoScopePolicyTest(NetworksPolicyTest):
# to get network.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -107,8 +110,10 @@ class NetworksScopeTypePolicyTest(NetworksPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]
@@ -128,7 +133,9 @@ class NetworksScopeTypeNoLegacyPolicyTest(NetworksScopeTypePolicyTest):
super(NetworksScopeTypeNoLegacyPolicyTest, self).setUp()
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_member_context,
self.other_project_reader_context,
]

5
nova/tests/unit/policies/test_pause_server.py
View File

@@ -53,8 +53,9 @@ class PauseServerPolicyTest(base.BasePolicyTest):
# unpause the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.pause')
def test_pause_server_policy(self, mock_pause):

14
nova/tests/unit/policies/test_quota_sets.py
View File

@@ -44,8 +44,10 @@ class QuotaSetsPolicyTest(base.BasePolicyTest):
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.system_foo_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_manager_context,
self.other_project_member_context,
self.other_project_reader_context])
# Everyone is able to get the default quota
@@ -53,8 +55,10 @@ class QuotaSetsPolicyTest(base.BasePolicyTest):
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.system_foo_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_manager_context,
self.other_project_member_context,
self.other_project_reader_context])
@@ -158,7 +162,7 @@ class QuotaSetsNoLegacyNoScopePolicyTest(QuotaSetsPolicyTest):
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.project_member_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context]

5
nova/tests/unit/policies/test_remote_consoles.py
View File

@@ -55,8 +55,9 @@ class RemoteConsolesPolicyTest(base.BasePolicyTest):
# server remote consoles.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
def test_create_console_policy(self):
rule_name = rc_policies.BASE_POLICY_NAME

5
nova/tests/unit/policies/test_rescue.py
View File

@@ -55,8 +55,9 @@ class RescueServerPolicyTest(base.BasePolicyTest):
# unrescue the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.rescue')
def test_rescue_server_policy(self, mock_rescue):

47
nova/tests/unit/policies/test_security_groups.py
View File

@@ -55,14 +55,16 @@ class ServerSecurityGroupsPolicyTest(base.BasePolicyTest):
# server security groups.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# With legacy rule, any admin or project role is able to get their
# server SG.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
@mock.patch('nova.network.security_group_api.get_instance_security_groups')
@@ -143,20 +145,24 @@ class SecurityGroupsPolicyTest(base.BasePolicyTest):
# appropriate error.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -261,16 +267,18 @@ class SecurityGroupsNoLegacyNoScopePolicyTest(
# to operate on SG.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.system_member_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.system_member_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -292,14 +300,18 @@ class SecurityGroupsScopeTypePolicyTest(SecurityGroupsPolicyTest):
# operate on SG.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -377,12 +389,15 @@ class SecurityGroupsNoLegacyPolicyTest(SecurityGroupsScopeTypePolicyTest):
# other roles like foo will not be able to operate SG.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context,
self.project_manager_context, self.project_member_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]

3
nova/tests/unit/policies/test_server_diagnostics.py
View File

@@ -133,4 +133,5 @@ class ServerDiagnosticsOverridePolicyTest(
# Check that project member role as override above
# is able to get server diagnostics.
self.project_admin_authorized_contexts = [
self.project_admin_context, self.project_member_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context]

46
nova/tests/unit/policies/test_server_groups.py
View File

@@ -56,13 +56,15 @@ class ServerGroupPolicyTest(base.BasePolicyTest):
# delete and get SG.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
# By default, legacy rule are enabled and scope check is disabled.
# system admin, legacy admin, and project admin is able to get
@@ -74,11 +76,13 @@ class ServerGroupPolicyTest(base.BasePolicyTest):
# List SG can not check for project id so everyone is allowed.
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -172,8 +176,10 @@ class ServerGroupNoLegacyNoScopePolicyTest(ServerGroupPolicyTest):
# use requesting context's project_id. Same for list SG.
self.project_create_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.system_member_context, self.other_project_member_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.system_member_context,
self.other_project_manager_context,
self.other_project_member_context]
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
@@ -181,9 +187,11 @@ class ServerGroupNoLegacyNoScopePolicyTest(ServerGroupPolicyTest):
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.other_project_reader_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -210,17 +218,20 @@ class ServerGroupScopeTypePolicyTest(ServerGroupPolicyTest):
self.project_create_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.other_project_member_context]
self.project_manager_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_reader_context,
self.other_project_member_context,
self.other_project_manager_context]
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context]
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]
@@ -241,7 +252,8 @@ class ServerGroupScopeTypeNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
self.project_create_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context,
self.project_manager_context, self.project_member_context,
self.other_project_manager_context,
self.other_project_member_context]
self.project_reader_authorized_contexts = (
@@ -252,7 +264,9 @@ class ServerGroupScopeTypeNoLegacyPolicyTest(ServerGroupScopeTypePolicyTest):
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]

5
nova/tests/unit/policies/test_server_ips.py
View File

@@ -53,8 +53,9 @@ class ServerIpsPolicyTest(base.BasePolicyTest):
# server IP addresses.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
def test_index_ips_policy(self):

5
nova/tests/unit/policies/test_server_metadata.py
View File

@@ -47,8 +47,9 @@ class ServerMetadataPolicyTest(base.BasePolicyTest):
# update, and delete the server metadata.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# and they can get their own server metadata.
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)

4
nova/tests/unit/policies/test_server_migrations.py
View File

@@ -146,5 +146,5 @@ class ServerMigrationsOverridePolicyTest(
# Check that project reader as override above
# is able to migrate the server
self.project_admin_authorized_contexts = [
self.project_admin_context, self.project_member_context,
self.project_reader_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context]

5
nova/tests/unit/policies/test_server_password.py
View File

@@ -48,8 +48,9 @@ class ServerPasswordPolicyTest(base.BasePolicyTest):
# the server Password.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# and they can get their own server password.
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)

5
nova/tests/unit/policies/test_server_tags.py
View File

@@ -57,8 +57,9 @@ class ServerTagsPolicyTest(base.BasePolicyTest):
# operations on server tags.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
self.project_reader_authorized_contexts = (
self.project_member_authorized_contexts)

5
nova/tests/unit/policies/test_server_topology.py
View File

@@ -59,8 +59,9 @@ class ServerTopologyPolicyTest(base.BasePolicyTest):
# and project reader can get their server topology without host info.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
def test_index_server_topology_policy(self):
rule_name = policies.BASE_POLICY_NAME % 'index'

6
nova/tests/unit/policies/test_servers.py
View File

@@ -141,8 +141,9 @@ class ServersPolicyTest(base.BasePolicyTest):
# Users that can take action on *our* project resources
self.project_action_authorized_contexts = set([
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
])
# Users that can read *our* project resources
@@ -1414,6 +1415,7 @@ class ServersScopeTypePolicyTest(ServersPolicyTest):
self.reduce_set('project_action_authorized',
set([self.legacy_admin_context,
self.project_admin_context,
self.project_manager_context,
self.project_member_context,
self.project_reader_context,
self.project_foo_context]))

5
nova/tests/unit/policies/test_shelve.py
View File

@@ -50,8 +50,9 @@ class ShelveServerPolicyTest(base.BasePolicyTest):
# unshelve the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# By default, legacy rule are enable and scope check is disabled.
# system admin, legacy admin, and project admin is able to shelve

5
nova/tests/unit/policies/test_simple_tenant_usage.py
View File

@@ -39,8 +39,9 @@ class SimpleTenantUsagePolicyTest(base.BasePolicyTest):
# and project reader can get their usage statistics.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
]
def test_index_simple_tenant_usage_policy(self):

5
nova/tests/unit/policies/test_suspend_server.py
View File

@@ -51,8 +51,9 @@ class SuspendServerPolicyTest(base.BasePolicyTest):
# resume the server.
self.project_action_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
@mock.patch('nova.compute.api.API.suspend')
def test_suspend_server_policy(self, mock_suspend):

21
nova/tests/unit/policies/test_tenant_networks.py
View File

@@ -41,11 +41,13 @@ class TenantNetworksPolicyTest(base.BasePolicyTest):
# of networks then neutron will be returning the appropriate error.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -82,10 +84,11 @@ class TenantNetworksNoLegacyNoScopePolicyTest(TenantNetworksPolicyTest):
# to get tenant network.
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -106,8 +109,10 @@ class TenantNetworksScopeTypePolicyTest(TenantNetworksPolicyTest):
self.flags(enforce_scope=True, group="oslo_policy")
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -128,7 +133,9 @@ class TenantNetworksScopeTypeNoLegacyPolicyTest(
super(TenantNetworksScopeTypeNoLegacyPolicyTest, self).setUp()
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context, self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_member_context,
self.other_project_reader_context,
]

48
nova/tests/unit/policies/test_volumes.py
View File

@@ -101,8 +101,9 @@ class VolumeAttachPolicyTest(base.BasePolicyTest):
# able create/delete/update the volume attachment.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context]
# With legacy rule and no scope checks, all admin, project members
# project reader or other project role(because legacy rule allow
@@ -291,20 +292,24 @@ class VolumesPolicyTest(base.BasePolicyTest):
# error.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -422,16 +427,18 @@ class VolumesNoLegacyNoScopePolicyTest(VolumesPolicyTest):
# to operate on volume and snapshot.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.system_member_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.system_member_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context,
self.project_admin_context, self.project_manager_context,
self.project_member_context, self.project_reader_context,
self.other_project_reader_context,
self.system_member_context, self.system_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -454,14 +461,20 @@ class VolumesScopeTypePolicyTest(VolumesPolicyTest):
# operate on volume and snapshot.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.project_manager_context,
self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_reader_context,
self.project_manager_context,
self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_reader_context,
self.other_project_manager_context,
self.other_project_member_context
]
@@ -503,12 +516,17 @@ class VolumesScopeTypeNoLegacyPolicyTest(VolumesScopeTypePolicyTest):
# and snapshot.
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_manager_context,
self.project_member_context,
self.other_project_manager_context,
self.other_project_member_context
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_manager_context,
self.project_member_context,
self.project_reader_context,
self.other_project_manager_context,
self.other_project_reader_context,
self.other_project_member_context
]