Merge "Add new default roles in lock server policies"
This commit is contained in:
commit
1f6719f5b4
|
@ -23,40 +23,43 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
|
|||
|
||||
lock_server_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'lock',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"Lock a server",
|
||||
[
|
||||
name=POLICY_ROOT % 'lock',
|
||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||
description="Lock a server",
|
||||
operations=[
|
||||
{
|
||||
'path': '/servers/{server_id}/action (lock)',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
scope_types=['system', 'project']
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'unlock',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"Unlock a server",
|
||||
[
|
||||
name=POLICY_ROOT % 'unlock',
|
||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||
description="Unlock a server",
|
||||
operations=[
|
||||
{
|
||||
'path': '/servers/{server_id}/action (unlock)',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
scope_types=['system', 'project']
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'unlock:unlock_override',
|
||||
base.RULE_ADMIN_API,
|
||||
"""Unlock a server, regardless who locked the server.
|
||||
name=POLICY_ROOT % 'unlock:unlock_override',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="""Unlock a server, regardless who locked the server.
|
||||
|
||||
This check is performed only after the check
|
||||
os_compute_api:os-lock-server:unlock passes""",
|
||||
[
|
||||
operations=[
|
||||
{
|
||||
'path': '/servers/{server_id}/action (unlock)',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
scope_types=['system', 'project']
|
||||
),
|
||||
]
|
||||
|
||||
|
|
|
@ -144,3 +144,41 @@ class LockServerScopeTypePolicyTest(LockServerPolicyTest):
|
|||
def setUp(self):
|
||||
super(LockServerScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
|
||||
class LockServerNoLegacyPolicyTest(LockServerScopeTypePolicyTest):
|
||||
"""Test Lock Server APIs policies with system scope enabled,
|
||||
and no more deprecated rules that allow the legacy admin API to
|
||||
access system APIs.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(LockServerNoLegacyPolicyTest, self).setUp()
|
||||
# Check that system admin or and server owner is able to lock/unlock
|
||||
# the sevrer
|
||||
self.admin_or_owner_authorized_contexts = [
|
||||
self.system_admin_context,
|
||||
self.project_admin_context, self.project_member_context]
|
||||
# Check that non-system/admin/owner is not able to lock/unlock
|
||||
# the server
|
||||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
]
|
||||
|
||||
# Check that system admin is able to unlock the server which is
|
||||
# locked by other
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context]
|
||||
# Check that system non-admin is not able to unlock the server
|
||||
# which is locked by other
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue