openstack
/
nova
Code Issues Proposed changes

Merge "Add new default roles in migrations policies"

This commit is contained in:
Zuul 2020-04-02 23:08:29 +00:00 committed by Gerrit Code Review
parent 394ef32790 2608e00ce0
commit 6691517703
4 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nova/policies/migrations.py
View File

@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s'
migrations_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_ADMIN_API,
check_str=base.SYSTEM_READER,
description="List migrations",
operations=[
{

1
nova/tests/unit/fake_policy.py
View File

@ -71,6 +71,7 @@ policy_data = """
"os_compute_api:os-lock-server:unlock": "",
"os_compute_api:os-migrate-server:migrate": "",
"os_compute_api:os-migrate-server:migrate_live": "",
"os_compute_api:os-migrations:index": "",
"os_compute_api:os-multinic": "",
"os_compute_api:os-networks:view": "",
"os_compute_api:os-tenant-networks": "",

24
nova/tests/unit/policies/test_migrations.py
View File

@ -33,13 +33,13 @@ class MigrationsPolicyTest(base.BasePolicyTest):
self.req = fakes.HTTPRequest.blank('')
# Check that admin is able to list migrations.
self.admin_authorized_contexts = [
self.reader_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context
self.project_admin_context, self.system_member_context,
self.system_reader_context
]
# Check that non-admin is not able to list migrations.
self.admin_unauthorized_contexts = [
self.system_member_context, self.system_reader_context,
self.reader_unauthorized_contexts = [
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context
@ -48,8 +48,8 @@ class MigrationsPolicyTest(base.BasePolicyTest):
@mock.patch('nova.compute.api.API.get_migrations')
def test_list_migrations_policy(self, mock_migration):
rule_name = migrations_policies.POLICY_ROOT % 'index'
self.common_policy_check(self.admin_authorized_contexts,
self.admin_unauthorized_contexts,
self.common_policy_check(self.reader_authorized_contexts,
self.reader_unauthorized_contexts,
rule_name, self.controller.index,
self.req)
@ -69,13 +69,13 @@ class MigrationsScopeTypePolicyTest(MigrationsPolicyTest):
super(MigrationsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# Check that system admin is able to list migrations.
self.admin_authorized_contexts = [
self.system_admin_context]
# Check that non system admin is not able to list migrations.
self.admin_unauthorized_contexts = [
# Check that system reader is able to list migrations.
self.reader_authorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context]
# Check that non system reader is not able to list migrations.
self.reader_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context

2
nova/tests/unit/test_policy.py
View File

@ -356,7 +356,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-simple-tenant-usage:list",
"os_compute_api:os-availability-zone:detail",
"os_compute_api:os-used-limits",
"os_compute_api:os-migrations:index",
"os_compute_api:os-assisted-volume-snapshots:create",
"os_compute_api:os-assisted-volume-snapshots:delete",
"os_compute_api:os-console-auth-tokens",
@ -456,6 +455,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
)
self.system_reader_rules = (
"os_compute_api:os-migrations:index",
"os_compute_api:os-services:list",
"os_compute_api:os-instance-actions:events:details",
"os_compute_api:os-instance-usage-audit-log:list",