Merge "Add new default roles in rescue server policies"

This commit is contained in:
Zuul 2020-04-01 23:29:59 +00:00 committed by Gerrit Code Review
commit 241cffbeba
5 changed files with 57 additions and 4 deletions

View File

@ -84,7 +84,7 @@ class RescueController(wsgi.Controller):
"""Unrescue an instance."""
context = req.environ["nova.context"]
instance = common.get_instance(self.compute_api, context, id)
context.can(rescue_policies.BASE_POLICY_NAME,
context.can(rescue_policies.UNRESCUE_POLICY_NAME,
target={'project_id': instance.project_id})
try:
self.compute_api.unrescue(context, instance)

View File

@ -19,24 +19,45 @@ from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-rescue'
UNRESCUE_POLICY_NAME = 'os_compute_api:os-unrescue'
DEPRECATED_POLICY = policy.DeprecatedRule(
'os_compute_api:os-rescue',
base.RULE_ADMIN_OR_OWNER,
)
DEPRECATED_REASON = """
Rescue/Unrescue API policies are made granular with new policy
for unrescue and keeping old policy for rescue.
"""
rescue_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER,
description="Rescue/unrescue a server",
description="Rescue a server",
operations=[
{
'path': '/servers/{server_id}/action (rescue)',
'method': 'POST'
},
],
scope_types=['system', 'project']),
policy.DocumentedRuleDefault(
name=UNRESCUE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER,
description="Unrescue a server",
operations=[
{
'path': '/servers/{server_id}/action (unrescue)',
'method': 'POST'
}
],
scope_types=['system', 'project']
scope_types=['system', 'project'],
deprecated_rule=DEPRECATED_POLICY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'
),
]

View File

@ -84,6 +84,7 @@ policy_data = """
"os_compute_api:os-quota-class-sets:update": "",
"os_compute_api:os-quota-class-sets:show": "",
"os_compute_api:os-rescue": "",
"os_compute_api:os-unrescue": "",
"os_compute_api:os-server-diagnostics": "",
"os_compute_api:os-server-password": "",
"os_compute_api:os-server-tags:index": "",

View File

@ -12,6 +12,7 @@
import fixtures
import mock
from nova.policies import base as base_policy
from nova.policies import rescue as rs_policies
from oslo_utils.fixture import uuidsentinel as uuids
from oslo_utils import timeutils
@ -73,7 +74,7 @@ class RescueServerPolicyTest(base.BasePolicyTest):
@mock.patch('nova.compute.api.API.unrescue')
def test_unrescue_server_policy(self, mock_unrescue):
rule_name = rs_policies.BASE_POLICY_NAME
rule_name = rs_policies.UNRESCUE_POLICY_NAME
self.common_policy_check(self.admin_or_owner_authorized_contexts,
self.admin_or_owner_unauthorized_contexts,
rule_name,
@ -117,3 +118,32 @@ class RescueServerScopeTypePolicyTest(RescueServerPolicyTest):
def setUp(self):
super(RescueServerScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
class RescueServerNoLegacyPolicyTest(RescueServerScopeTypePolicyTest):
"""Test Rescue Server APIs policies with system scope enabled,
and no more deprecated rules that allow the legacy admin API to
access system APIs.
"""
without_deprecated_rules = True
rules_without_deprecation = {
rs_policies.UNRESCUE_POLICY_NAME:
base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
rs_policies.BASE_POLICY_NAME:
base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN}
def setUp(self):
super(RescueServerNoLegacyPolicyTest, self).setUp()
# Check that system admin or and server owner is able to
# rescue/unrescue the sevrer
self.admin_or_owner_authorized_contexts = [
self.system_admin_context,
self.project_admin_context, self.project_member_context]
# Check that non-system/admin/owner is not able to rescue/unrescue
# the server
self.admin_or_owner_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.other_project_member_context, self.project_reader_context,
self.project_foo_context
]

View File

@ -429,6 +429,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-multinic",
"os_compute_api:os-networks:view",
"os_compute_api:os-rescue",
"os_compute_api:os-unrescue",
"os_compute_api:os-security-groups",
"os_compute_api:os-server-password",
"os_compute_api:os-server-tags:delete",