Load projects without restrictions in policy_check
The policy_check needs to load projects without project safe restriction because it is possible for users to attach policies belonging to other projects. Change-Id: I019e7765bdce3f3338167ce11660f4eae70639fc Closes-Bug: #1896099
This commit is contained in:
parent
d4ec93ae55
commit
6133e815e3
|
@ -531,7 +531,8 @@ class Action(object):
|
|||
self.data['reason'] = 'Completed policy checking.'
|
||||
|
||||
for pb in bindings:
|
||||
policy = policy_mod.Policy.load(self.context, pb.policy_id)
|
||||
policy = policy_mod.Policy.load(self.context, pb.policy_id,
|
||||
project_safe=False)
|
||||
|
||||
# add last_op as input for the policy so that it can be used
|
||||
# during pre_op
|
||||
|
|
|
@ -1017,7 +1017,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
|
|||
mock_load_all.assert_called_once_with(
|
||||
action.context, cluster_id, sort='priority',
|
||||
filters={'enabled': True})
|
||||
mock_load.assert_called_once_with(action.context, policy.id)
|
||||
mock_load.assert_called_once_with(action.context, policy.id,
|
||||
project_safe=False)
|
||||
# last_op was updated anyway
|
||||
self.assertEqual(action.inputs['last_op'], pb.last_op)
|
||||
# neither pre_op nor post_op was called, because target not match
|
||||
|
@ -1076,7 +1077,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
|
|||
mock_load_all.assert_called_once_with(
|
||||
action.context, cluster_id, sort='priority',
|
||||
filters={'enabled': True})
|
||||
mock_load.assert_called_once_with(action.context, policy.id)
|
||||
mock_load.assert_called_once_with(action.context, policy.id,
|
||||
project_safe=False)
|
||||
# last_op was not updated
|
||||
self.assertIsNone(pb.last_op)
|
||||
|
||||
|
@ -1103,7 +1105,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
|
|||
mock_load_all.assert_called_once_with(
|
||||
action.context, cluster_id, sort='priority',
|
||||
filters={'enabled': True})
|
||||
mock_load.assert_called_once_with(action.context, policy.id)
|
||||
mock_load.assert_called_once_with(action.context, policy.id,
|
||||
project_safe=False)
|
||||
# last_op was updated for POST check
|
||||
self.assertEqual(action.inputs['last_op'], pb.last_op)
|
||||
# pre_op is called, but post_op was not called
|
||||
|
@ -1144,7 +1147,7 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
|
|||
mock_load_all.assert_called_once_with(
|
||||
action.context, cluster_id, sort='priority',
|
||||
filters={'enabled': True})
|
||||
calls = [mock.call(action.context, policy1.id)]
|
||||
calls = [mock.call(action.context, policy1.id, project_safe=False)]
|
||||
mock_load.assert_has_calls(calls)
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue