Merge "Add new default roles in server diagnostics policies"

This commit is contained in:
Zuul 2020-04-02 18:39:11 +00:00 committed by Gerrit Code Review
commit 57f4f9b960
2 changed files with 24 additions and 1 deletions

View File

@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics'
server_diagnostics_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API,
check_str=base.SYSTEM_ADMIN,
description="Show the usage data for a server",
operations=[
{

View File

@ -80,3 +80,26 @@ class ServerDiagnosticsScopeTypePolicyTest(ServerDiagnosticsPolicyTest):
def setUp(self):
super(ServerDiagnosticsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
class ServerDiagnosticsNoLegacyPolicyTest(
ServerDiagnosticsScopeTypePolicyTest):
"""Test Server Diagnostics APIs policies with system scope enabled,
and no more deprecated rules.
"""
without_deprecated_rules = True
def setUp(self):
super(ServerDiagnosticsNoLegacyPolicyTest, self).setUp()
# Check that system admin is able to get server diagnostics.
self.admin_authorized_contexts = [
self.system_admin_context
]
# Check that non system admin is not able to get server diagnostics.
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context
]