Browse Source

Load projects without restrictions in policy_check

The policy_check needs to load projects without project safe restriction
because it is possible for users to attach policies belonging to other
projects.

Change-Id: I019e7765bdce3f3338167ce11660f4eae70639fc
Closes-Bug: #1896099
changes/78/761678/1
Duc Truong 8 months ago
parent
commit
6133e815e3
2 changed files with 9 additions and 5 deletions
  1. +2
    -1
      senlin/engine/actions/base.py
  2. +7
    -4
      senlin/tests/unit/engine/actions/test_action_base.py

+ 2
- 1
senlin/engine/actions/base.py View File

@ -531,7 +531,8 @@ class Action(object):
self.data['reason'] = 'Completed policy checking.'
for pb in bindings:
policy = policy_mod.Policy.load(self.context, pb.policy_id)
policy = policy_mod.Policy.load(self.context, pb.policy_id,
project_safe=False)
# add last_op as input for the policy so that it can be used
# during pre_op


+ 7
- 4
senlin/tests/unit/engine/actions/test_action_base.py View File

@ -1017,7 +1017,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority',
filters={'enabled': True})
mock_load.assert_called_once_with(action.context, policy.id)
mock_load.assert_called_once_with(action.context, policy.id,
project_safe=False)
# last_op was updated anyway
self.assertEqual(action.inputs['last_op'], pb.last_op)
# neither pre_op nor post_op was called, because target not match
@ -1076,7 +1077,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority',
filters={'enabled': True})
mock_load.assert_called_once_with(action.context, policy.id)
mock_load.assert_called_once_with(action.context, policy.id,
project_safe=False)
# last_op was not updated
self.assertIsNone(pb.last_op)
@ -1103,7 +1105,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority',
filters={'enabled': True})
mock_load.assert_called_once_with(action.context, policy.id)
mock_load.assert_called_once_with(action.context, policy.id,
project_safe=False)
# last_op was updated for POST check
self.assertEqual(action.inputs['last_op'], pb.last_op)
# pre_op is called, but post_op was not called
@ -1144,7 +1147,7 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority',
filters={'enabled': True})
calls = [mock.call(action.context, policy1.id)]
calls = [mock.call(action.context, policy1.id, project_safe=False)]
mock_load.assert_has_calls(calls)


Loading…
Cancel
Save