openstack
/
placement
Code Issues Proposed changes

Merge "Implement secure RBAC for inventories"

This commit is contained in:
Zuul 2021-02-03 18:48:09 +00:00 committed by Gerrit Code Review
parent 459c08db76 d0e49b794b
commit 07bbe95b3c
3 changed files with 863 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
placement/policies/inventory.py
View File

@ -11,6 +11,7 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -24,45 +25,80 @@ UPDATE = PREFIX % 'update'
DELETE = PREFIX % 'delete'
BASE_PATH = '/resource_providers/{uuid}/inventories'
DEPRECATED_REASON = """
The inventory API now supports a read-only role by default.
"""
deprecated_list_inventories = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_create_inventory = policy.DeprecatedRule(
name=CREATE,
check_str=base.RULE_ADMIN_API
)
deprecated_show_inventory = policy.DeprecatedRule(
name=SHOW,
check_str=base.RULE_ADMIN_API
)
deprecated_update_inventory = policy.DeprecatedRule(
name=UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_inventory = policy.DeprecatedRule(
name=DELETE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
LIST,
base.RULE_ADMIN_API,
"List resource provider inventories.",
[
name=LIST,
check_str=base.SYSTEM_READER,
description="List resource provider inventories.",
operations=[
{
'method': 'GET',
'path': BASE_PATH
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_list_inventories,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
CREATE,
base.RULE_ADMIN_API,
"Create one resource provider inventory.",
[
name=CREATE,
check_str=base.SYSTEM_ADMIN,
description="Create one resource provider inventory.",
operations=[
{
'method': 'POST',
'path': BASE_PATH
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_create_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
SHOW,
base.RULE_ADMIN_API,
"Show resource provider inventory.",
[
name=SHOW,
check_str=base.SYSTEM_READER,
description="Show resource provider inventory.",
operations=[
{
'method': 'GET',
'path': BASE_PATH + '/{resource_class}'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_show_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
UPDATE,
base.RULE_ADMIN_API,
"Update resource provider inventory.",
[
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
description="Update resource provider inventory.",
operations=[
{
'method': 'PUT',
'path': BASE_PATH
@ -72,12 +108,15 @@ rules = [
'path': BASE_PATH + '/{resource_class}'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_update_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
DELETE,
base.RULE_ADMIN_API,
"Delete resource provider inventory.",
[
name=DELETE,
check_str=base.SYSTEM_ADMIN,
description="Delete resource provider inventory.",
operations=[
{
'method': 'DELETE',
'path': BASE_PATH
@ -87,7 +126,10 @@ rules = [
'path': BASE_PATH + '/{resource_class}'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_delete_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
]

424
placement/tests/functional/gabbits/inventory-legacy-rbac.yaml Normal file
View File

@ -0,0 +1,424 @@
---
fixtures:
- LegacyRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &system_reader_headers
x-auth-token: user
x-roles: reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_reader_headers
x-auth-token: user
x-roles: reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
tests:
# create resource provider
- name: system admin can create resource providers
POST: /resource_providers
request_headers: *system_admin_headers
data:
name: fc65b9c3-2d41-44b1-96ca-1d1a13b4dd69
uuid: 85475179-de26-4f7a-8c11-b4dc10fe47f4
status: 200
- name: system reader cannot create resource providers
POST: /resource_providers
request_headers: *system_reader_headers
data:
name: de40da45-e029-450d-b147-178136518e4d
uuid: 7d7e6957-45b0-4791-b79a-69a88327ab0d
status: 403
- name: project admin can create resource providers
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: f4720d4c-3a29-4676-aeb1-faa39084051e
uuid: 0e4fdc4e-5790-477a-9e4f-4f6898537ad9
status: 200
- name: project member cannot create resource providers
POST: /resource_providers
request_headers: *project_member_headers
data:
name: cf4511a9-a4f8-402c-ae03-233eb97e2358
uuid: 6bb64c0f-4704-4337-8bae-18bbc6131a32
status: 403
- name: project reader cannot create resource providers
POST: /resource_providers
request_headers: *project_reader_headers
data:
name: 53519f75-dcd3-45dc-b355-8c0e2628a8e8
uuid: 29742738-d409-4e2e-b4bc-b941ee9268fa
status: 403
# list inventory
- name: system admin can list inventories
GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_admin_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: system reader can list inventories
GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_reader_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: project admin can list inventories
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_admin_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: project member cannot list inventories
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_member_headers
status: 403
- name: project reader cannot list inventories
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_reader_headers
status: 403
# create inventory
- name: system admin can create an inventory
POST: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 201
response_headers:
location: $SCHEME://$NETLOC/resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
- name: system reader cannot create an inventory
POST: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_reader_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project admin can create an inventory
POST: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 201
response_headers:
location: $SCHEME://$NETLOC/resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
- name: project member cannot create an inventory
POST: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_member_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project reader cannot create an inventory
POST: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_reader_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
# show inventory
- name: system admin can show inventory
GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_admin_headers
status: 200
- name: system reader can show inventory
GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_reader_headers
status: 200
- name: project admin can show inventory
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_admin_headers
status: 200
- name: project member cannot show inventory
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_member_headers
status: 403
- name: project reader cannot show inventory
GET: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_reader_headers
status: 403
# update inventory
- name: system admin can update inventory
PUT: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_admin_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 200
- name: system reader cannot update inventory
PUT: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_reader_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project admin can update inventory
PUT: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_admin_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 200
- name: project member cannot update inventory
PUT: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_member_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project reader cannot update inventory
PUT: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_reader_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
# update all inventories
- name: system admin can update all inventories
PUT: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_admin_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 200
- name: system reader cannot update all inventories
PUT: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_reader_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: project admin can update all inventories
PUT: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_admin_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 200
- name: project member cannot update all inventories
PUT: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_member_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: project reader cannot update all inventories
PUT: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_reader_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
# delete inventory
- name: system admin can delete a specific inventory
DELETE: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_admin_headers
status: 204
- name: system reader cannot delete a specific inventory
DELETE: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB
request_headers: *system_reader_headers
status: 403
- name: project admin can delete a specific inventory
DELETE: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_admin_headers
status: 204
- name: project member cannot delete a specific inventory
DELETE: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete a specific inventory
DELETE: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories/DISK_GB
request_headers: *project_reader_headers
status: 403
# delete all inventory
#
- name: system admin can delete all inventory
DELETE: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_admin_headers
status: 204
- name: system reader cannot delete all inventory
DELETE: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories
request_headers: *system_reader_headers
status: 403
- name: project admin can delete all inventory
DELETE: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_admin_headers
status: 204
- name: project member cannot delete all inventory
DELETE: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete all inventory
DELETE: /resource_providers/0e4fdc4e-5790-477a-9e4f-4f6898537ad9/inventories
request_headers: *project_reader_headers
status: 403

372
placement/tests/functional/gabbits/inventory-secure-rbac.yaml Normal file
View File

@ -0,0 +1,372 @@
---
fixtures:
- SecureRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &system_reader_headers
x-auth-token: user
x-roles: reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_reader_headers
x-auth-token: user
x-roles: reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
tests:
- name: system admin can create resource providers
POST: /resource_providers
request_headers: *system_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: system admin can list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: system reader can list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_reader_headers
response_json_paths:
$.resource_provider_generation: 0
$.inventories: {}
- name: project admin cannot list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
status: 403
- name: project member cannot list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_member_headers
status: 403
- name: project reader cannot list inventories
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_reader_headers
status: 403
- name: project admin cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project member cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_member_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project reader cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_reader_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: system reader cannot create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_reader_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: system admin can create an inventory
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 201
response_headers:
location: $SCHEME://$NETLOC/resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
- name: project admin cannot show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_admin_headers
status: 403
- name: project member cannot show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_member_headers
status: 403
- name: project reader cannot show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_reader_headers
status: 403
- name: system reader can show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_reader_headers
status: 200
- name: system admin can show inventory
GET: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_admin_headers
status: 200
- name: project admin cannot update inventory
PUT: $LAST_URL
request_headers: *project_admin_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project member cannot update inventory
PUT: $LAST_URL
request_headers: *project_member_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: project reader cannot update inventory
PUT: $LAST_URL
request_headers: *project_reader_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: system reader cannot update inventory
PUT: $LAST_URL
request_headers: *system_reader_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 403
- name: system admin can update inventory
PUT: $LAST_URL
request_headers: *system_admin_headers
data:
resource_provider_generation: 1
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 200
- name: project admin cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: project member cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_member_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: project reader cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_reader_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: system reader cannot update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_reader_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 403
- name: system admin can update all inventories
PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_provider_generation: 2
inventories:
DISK_GB:
total: 2048
reserved: 1024
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
VCPU:
total: 8
status: 200
- name: project admin cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_admin_headers
status: 403
- name: project member cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *project_reader_headers
status: 403
- name: system reader cannot delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_reader_headers
status: 403
- name: system admin can delete a specific inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories/DISK_GB
request_headers: *system_admin_headers
status: 204
- name: project admin cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
status: 403
- name: project member cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_reader_headers
status: 403
- name: system reader cannot delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_reader_headers
status: 403
- name: system admin can delete all inventory
DELETE: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
status: 204