Merge "Add new default roles in remote console policies"

2020-04-02 11:03:44 +00:00 · 2020-04-02 11:03:44 +00:00 · 43f30e876d
parent 241cffbeba 1c45a2f435
commit 43f30e876d
2 changed files with 34 additions and 2 deletions
--- a/nova/policies/remote_consoles.py
+++ b/nova/policies/remote_consoles.py
@ -24,8 +24,16 @@ BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles'
 remote_consoles_policies = [
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
-        description="Generate a URL to access remove server console",
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="""Generate a URL to access remove server console.
+
+This policy is for ``POST /remote-consoles`` API and below Server actions APIs
+are deprecated:
+
+- ``os-getRDPConsole``
+- ``os-getSerialConsole``
+- ``os-getSPICEConsole``
+- ``os-getVNCConsole``.""",
        operations=[
            {
                'method': 'POST',
--- a/nova/tests/unit/policies/test_remote_consoles.py
+++ b/nova/tests/unit/policies/test_remote_consoles.py
@ -87,3 +87,27 @@ class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
    def setUp(self):
        super(RemoteConsolesScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class RemoteConsolesNoLegacyPolicyTest(RemoteConsolesScopeTypePolicyTest):
+    """Test Remote Consoles APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(RemoteConsolesNoLegacyPolicyTest, self).setUp()
+        # Check that system admin or and server owner is able to get server
+        # remote consoles.
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system/admin/owner is not able to get server
+        # remote consoles.
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.other_project_member_context, self.project_reader_context,
+            self.project_foo_context
+        ]