Merge "Add new default roles in migrations policies"
This commit is contained in:
commit
6691517703
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s'
|
|||
migrations_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="List migrations",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -71,6 +71,7 @@ policy_data = """
|
|||
"os_compute_api:os-lock-server:unlock": "",
|
||||
"os_compute_api:os-migrate-server:migrate": "",
|
||||
"os_compute_api:os-migrate-server:migrate_live": "",
|
||||
"os_compute_api:os-migrations:index": "",
|
||||
"os_compute_api:os-multinic": "",
|
||||
"os_compute_api:os-networks:view": "",
|
||||
"os_compute_api:os-tenant-networks": "",
|
||||
|
|
|
@ -33,13 +33,13 @@ class MigrationsPolicyTest(base.BasePolicyTest):
|
|||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
# Check that admin is able to list migrations.
|
||||
self.admin_authorized_contexts = [
|
||||
self.reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
self.project_admin_context
|
||||
self.project_admin_context, self.system_member_context,
|
||||
self.system_reader_context
|
||||
]
|
||||
# Check that non-admin is not able to list migrations.
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
|
@ -48,8 +48,8 @@ class MigrationsPolicyTest(base.BasePolicyTest):
|
|||
@mock.patch('nova.compute.api.API.get_migrations')
|
||||
def test_list_migrations_policy(self, mock_migration):
|
||||
rule_name = migrations_policies.POLICY_ROOT % 'index'
|
||||
self.common_policy_check(self.admin_authorized_contexts,
|
||||
self.admin_unauthorized_contexts,
|
||||
self.common_policy_check(self.reader_authorized_contexts,
|
||||
self.reader_unauthorized_contexts,
|
||||
rule_name, self.controller.index,
|
||||
self.req)
|
||||
|
||||
|
@ -69,13 +69,13 @@ class MigrationsScopeTypePolicyTest(MigrationsPolicyTest):
|
|||
super(MigrationsScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
# Check that system admin is able to list migrations.
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context]
|
||||
# Check that non system admin is not able to list migrations.
|
||||
self.admin_unauthorized_contexts = [
|
||||
# Check that system reader is able to list migrations.
|
||||
self.reader_authorized_contexts = [
|
||||
self.system_admin_context, self.system_member_context,
|
||||
self.system_reader_context]
|
||||
# Check that non system reader is not able to list migrations.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
|
|
|
@ -356,7 +356,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-simple-tenant-usage:list",
|
||||
"os_compute_api:os-availability-zone:detail",
|
||||
"os_compute_api:os-used-limits",
|
||||
"os_compute_api:os-migrations:index",
|
||||
"os_compute_api:os-assisted-volume-snapshots:create",
|
||||
"os_compute_api:os-assisted-volume-snapshots:delete",
|
||||
"os_compute_api:os-console-auth-tokens",
|
||||
|
@ -456,6 +455,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
)
|
||||
|
||||
self.system_reader_rules = (
|
||||
"os_compute_api:os-migrations:index",
|
||||
"os_compute_api:os-services:list",
|
||||
"os_compute_api:os-instance-actions:events:details",
|
||||
"os_compute_api:os-instance-usage-audit-log:list",
|
||||
|
|
Loading…
Reference in New Issue