Merge "Add new default roles in lock server policies"

2020-04-01 17:11:34 +00:00 · 2020-04-01 17:11:34 +00:00 · 1f6719f5b4
parent 0fb9302428 fa367c13eb
commit 1f6719f5b4
2 changed files with 56 additions and 15 deletions
--- a/nova/policies/lock_server.py
+++ b/nova/policies/lock_server.py
@ -23,40 +23,43 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s'

 lock_server_policies = [
    policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'lock',
-        base.RULE_ADMIN_OR_OWNER,
-        "Lock a server",
-        [
+        name=POLICY_ROOT % 'lock',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Lock a server",
+        operations=[
            {
                'path': '/servers/{server_id}/action (lock)',
                'method': 'POST'
            }
-        ]
+        ],
+        scope_types=['system', 'project']
    ),
    policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'unlock',
-        base.RULE_ADMIN_OR_OWNER,
-        "Unlock a server",
-        [
+        name=POLICY_ROOT % 'unlock',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Unlock a server",
+        operations=[
            {
                'path': '/servers/{server_id}/action (unlock)',
                'method': 'POST'
            }
-        ]
+        ],
+        scope_types=['system', 'project']
    ),
    policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'unlock:unlock_override',
-        base.RULE_ADMIN_API,
-        """Unlock a server, regardless who locked the server.
+        name=POLICY_ROOT % 'unlock:unlock_override',
+        check_str=base.SYSTEM_ADMIN,
+        description="""Unlock a server, regardless who locked the server.

 This check is performed only after the check
 os_compute_api:os-lock-server:unlock passes""",
-        [
+        operations=[
            {
                'path': '/servers/{server_id}/action (unlock)',
                'method': 'POST'
            }
-        ]
+        ],
+        scope_types=['system', 'project']
    ),
 ]

--- a/nova/tests/unit/policies/test_lock_server.py
+++ b/nova/tests/unit/policies/test_lock_server.py
@ -144,3 +144,41 @@ class LockServerScopeTypePolicyTest(LockServerPolicyTest):
    def setUp(self):
        super(LockServerScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class LockServerNoLegacyPolicyTest(LockServerScopeTypePolicyTest):
+    """Test Lock Server APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(LockServerNoLegacyPolicyTest, self).setUp()
+        # Check that system admin or and server owner is able to lock/unlock
+        # the sevrer
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system/admin/owner is not able to lock/unlock
+        # the server
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.other_project_member_context, self.project_reader_context,
+            self.project_foo_context
+        ]
+
+        # Check that system admin is able to unlock the server which is
+        # locked by other
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that system non-admin is not able to unlock the server
+        # which is locked by other
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]