openstack
/
senlin
Code Issues Proposed changes

Load projects without restrictions in policy_check 

The policy_check needs to load projects without project safe restriction
because it is possible for users to attach policies belonging to other
projects.

Change-Id: I019e7765bdce3f3338167ce11660f4eae70639fc
Closes-Bug: #1896099
This commit is contained in:
Duc Truong 2020-11-05 22:50:18 +00:00
parent d4ec93ae55
commit 6133e815e3
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
senlin/engine/actions/base.py
View File

@ -531,7 +531,8 @@ class Action(object):
self.data['reason'] = 'Completed policy checking.' self.data['reason'] = 'Completed policy checking.'
for pb in bindings: for pb in bindings:
policy = policy_mod.Policy.load(self.context, pb.policy_id) policy = policy_mod.Policy.load(self.context, pb.policy_id,
project_safe=False)
# add last_op as input for the policy so that it can be used # add last_op as input for the policy so that it can be used
# during pre_op # during pre_op

11
senlin/tests/unit/engine/actions/test_action_base.py
View File

@ -1017,7 +1017,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with( mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority', action.context, cluster_id, sort='priority',
filters={'enabled': True}) filters={'enabled': True})
mock_load.assert_called_once_with(action.context, policy.id) mock_load.assert_called_once_with(action.context, policy.id,
project_safe=False)
# last_op was updated anyway # last_op was updated anyway
self.assertEqual(action.inputs['last_op'], pb.last_op) self.assertEqual(action.inputs['last_op'], pb.last_op)
# neither pre_op nor post_op was called, because target not match # neither pre_op nor post_op was called, because target not match
@ -1076,7 +1077,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with( mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority', action.context, cluster_id, sort='priority',
filters={'enabled': True}) filters={'enabled': True})
mock_load.assert_called_once_with(action.context, policy.id) mock_load.assert_called_once_with(action.context, policy.id,
project_safe=False)
# last_op was not updated # last_op was not updated
self.assertIsNone(pb.last_op) self.assertIsNone(pb.last_op)
@ -1103,7 +1105,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with( mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority', action.context, cluster_id, sort='priority',
filters={'enabled': True}) filters={'enabled': True})
mock_load.assert_called_once_with(action.context, policy.id) mock_load.assert_called_once_with(action.context, policy.id,
project_safe=False)
# last_op was updated for POST check # last_op was updated for POST check
self.assertEqual(action.inputs['last_op'], pb.last_op) self.assertEqual(action.inputs['last_op'], pb.last_op)
# pre_op is called, but post_op was not called # pre_op is called, but post_op was not called
@ -1144,7 +1147,7 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
mock_load_all.assert_called_once_with( mock_load_all.assert_called_once_with(
action.context, cluster_id, sort='priority', action.context, cluster_id, sort='priority',
filters={'enabled': True}) filters={'enabled': True})
calls = [mock.call(action.context, policy1.id)] calls = [mock.call(action.context, policy1.id, project_safe=False)]
mock_load.assert_has_calls(calls) mock_load.assert_has_calls(calls)