Merge "Pass the actual target in server diagnostics policy"

This commit is contained in:
Zuul 2020-04-09 18:13:39 +00:00 committed by Gerrit Code Review
commit 9bf6805a83
3 changed files with 37 additions and 3 deletions

View File

@ -34,9 +34,9 @@ class ServerDiagnosticsController(wsgi.Controller):
@wsgi.expected_errors((400, 404, 409, 501))
def index(self, req, server_id):
context = req.environ["nova.context"]
context.can(sd_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)
context.can(sd_policies.BASE_POLICY_NAME,
target={'project_id': instance.project_id})
try:
if api_version_request.is_supported(req, min_version='2.48'):

View File

@ -32,7 +32,9 @@ def fake_instance_get(self, _context, instance_uuid, expected_attrs=None,
cell_down_support=False):
if instance_uuid != UUID:
raise Exception("Invalid UUID")
return objects.Instance(uuid=instance_uuid, host='123')
return objects.Instance(uuid=instance_uuid,
project_id=_context.project_id,
host='123')
class ServerDiagnosticsTestV21(test.NoDBTestCase):

View File

@ -17,6 +17,7 @@ from oslo_utils import timeutils
from nova.api.openstack.compute import server_diagnostics
from nova.compute import vm_states
from nova.policies import base as base_policy
from nova.policies import server_diagnostics as policies
from nova.tests.unit.api.openstack import fakes
from nova.tests.unit import fake_instance
@ -103,3 +104,34 @@ class ServerDiagnosticsNoLegacyPolicyTest(
self.project_reader_context, self.project_foo_context,
self.other_project_member_context
]
class ServerDiagnosticsOverridePolicyTest(ServerDiagnosticsNoLegacyPolicyTest):
"""Test Server Diagnostics APIs policies with system and project scoped
but default to system roles only are allowed for project roles
if override by operators. This test is with system scope enable
and no more deprecated rules.
"""
def setUp(self):
super(ServerDiagnosticsOverridePolicyTest, self).setUp()
rule = policies.BASE_POLICY_NAME
# NOTE(gmann): override the rule to project member and verify it
# work as policy is system and projct scoped.
self.policy.set_rules({
rule: base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN},
overwrite=False)
# Check that system admin or project scoped role as override above
# is able to get server diagnostics.
self.admin_authorized_contexts = [
self.system_admin_context,
self.project_admin_context, self.project_member_context]
# Check that non-system admin or project role is not able to
# get server diagnostics.
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context
]