Remove deprecated 'os-flavor-manage' policy
Remove the 'os_compute_api:os-flavor-manage' policy. The 'os_compute_api:os-flavor-manage' policy has been deprecated since 16.0.0 Pike. The policy has been replaced with the following policies. - os_compute_api:os-flavor-manage:create - os_compute_api:os-flavor-manage:delete Change-Id: I856498dfcebfa330598a22dd7c660bd6f158351b
This commit is contained in:
parent
bcc4d233ef
commit
dedeff70a7
|
@ -19,8 +19,10 @@ manage flavors. To see information for this command, run:
|
|||
.. note::
|
||||
|
||||
Configuration rights can be delegated to additional users by redefining
|
||||
the access controls for ``os_compute_api:os-flavor-manage`` in
|
||||
``/etc/nova/policy.json`` on the ``nova-api`` server.
|
||||
the access controls for ``os_compute_api:os-flavor-manage:create``,
|
||||
``os_compute_api:os-flavor-manage:update`` and
|
||||
``os_compute_api:os-flavor-manage:delete`` in ``/etc/nova/policy.json``
|
||||
on the ``nova-api`` server.
|
||||
|
||||
.. note::
|
||||
|
||||
|
|
|
@ -20,10 +20,8 @@ from nova.api import validation
|
|||
from nova.compute import flavors
|
||||
from nova import exception
|
||||
from nova import objects
|
||||
from nova.policies import base
|
||||
from nova.policies import flavor_extra_specs as fes_policies
|
||||
from nova.policies import flavor_manage as fm_policies
|
||||
from nova import policy
|
||||
|
||||
|
||||
ALIAS = "os-flavor-manage"
|
||||
|
@ -44,15 +42,7 @@ class FlavorManageController(wsgi.Controller):
|
|||
@wsgi.action("delete")
|
||||
def _delete(self, req, id):
|
||||
context = req.environ['nova.context']
|
||||
# TODO(rb560u): remove this check in future release
|
||||
using_old_action = \
|
||||
policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME,
|
||||
fm_policies.POLICY_ROOT % 'delete',
|
||||
base.RULE_ADMIN_API,
|
||||
context)
|
||||
|
||||
if not using_old_action:
|
||||
context.can(fm_policies.POLICY_ROOT % 'delete')
|
||||
context.can(fm_policies.POLICY_ROOT % 'delete')
|
||||
|
||||
flavor = objects.Flavor(context=context, flavorid=id)
|
||||
try:
|
||||
|
@ -70,15 +60,7 @@ class FlavorManageController(wsgi.Controller):
|
|||
flavors_view.FLAVOR_DESCRIPTION_MICROVERSION)
|
||||
def _create(self, req, body):
|
||||
context = req.environ['nova.context']
|
||||
# TODO(rb560u): remove this check in future release
|
||||
using_old_action = \
|
||||
policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME,
|
||||
fm_policies.POLICY_ROOT % 'create',
|
||||
base.RULE_ADMIN_API,
|
||||
context)
|
||||
|
||||
if not using_old_action:
|
||||
context.can(fm_policies.POLICY_ROOT % 'create')
|
||||
context.can(fm_policies.POLICY_ROOT % 'create')
|
||||
|
||||
vals = body['flavor']
|
||||
|
||||
|
|
|
@ -19,32 +19,13 @@ from oslo_policy import policy
|
|||
from nova.policies import base
|
||||
|
||||
|
||||
BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
|
||||
POLICY_ROOT = 'os_compute_api:os-flavor-manage:%s'
|
||||
BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME
|
||||
|
||||
|
||||
flavor_manage_policies = [
|
||||
# TODO(rb560u): remove this rule in future release
|
||||
policy.DocumentedRuleDefault(
|
||||
BASE_POLICY_NAME,
|
||||
base.RULE_ADMIN_API,
|
||||
"Create and delete Flavors. Deprecated in Pike and will be "
|
||||
"removed in future release",
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/flavors'
|
||||
},
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/flavors/{flavor_id}'
|
||||
},
|
||||
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'create',
|
||||
BASE_POLICY_RULE,
|
||||
base.RULE_ADMIN_API,
|
||||
"Create a flavor",
|
||||
[
|
||||
{
|
||||
|
@ -64,7 +45,7 @@ flavor_manage_policies = [
|
|||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'delete',
|
||||
BASE_POLICY_RULE,
|
||||
base.RULE_ADMIN_API,
|
||||
"Delete a flavor",
|
||||
[
|
||||
{
|
||||
|
|
|
@ -25,7 +25,6 @@ from nova.compute import flavors
|
|||
from nova.db import api as db
|
||||
from nova import exception
|
||||
from nova import objects
|
||||
from nova import policy
|
||||
from nova import test
|
||||
from nova.tests.unit.api.openstack import fakes
|
||||
|
||||
|
@ -494,7 +493,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
|
|||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_create_policy_failed(self):
|
||||
rule_name = "os_compute_api:os-flavor-manage"
|
||||
rule_name = "os_compute_api:os-flavor-manage:create"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
|
@ -514,7 +513,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
|
|||
exc.format_message())
|
||||
|
||||
def test_delete_policy_failed(self):
|
||||
rule_name = "os_compute_api:os-flavor-manage"
|
||||
rule_name = "os_compute_api:os-flavor-manage:delete"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
|
@ -526,170 +525,6 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
|
|||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
@mock.patch.object(policy.LOG, 'warning')
|
||||
def test_create_policy_rbac_inherit_default(self, mock_warning):
|
||||
"""Test to verify inherited rule is working. The rule of the
|
||||
deprecated action is not set to the default, so the deprecated
|
||||
action is being enforced
|
||||
"""
|
||||
|
||||
default_flavor_policy = "os_compute_api:os-flavor-manage"
|
||||
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
|
||||
rules = {default_flavor_policy: 'is_admin:True',
|
||||
create_flavor_policy: 'rule:%s' % default_flavor_policy,
|
||||
"os_compute_api:os-flavor-access": "project:non_fake"}
|
||||
self.policy.set_rules(rules)
|
||||
body = {
|
||||
"flavor": {
|
||||
"name": "azAZ09. -_",
|
||||
"ram": 512,
|
||||
"vcpus": 2,
|
||||
"disk": 1,
|
||||
"OS-FLV-EXT-DATA:ephemeral": 1,
|
||||
"id": six.text_type('1234'),
|
||||
"swap": 512,
|
||||
"rxtx_factor": 1,
|
||||
"os-flavor-access:is_public": True,
|
||||
}
|
||||
}
|
||||
# check for success as admin
|
||||
self.controller._create(self.adm_req, body=body)
|
||||
# check for failure as non-admin
|
||||
exc = self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.controller._create, self.req,
|
||||
body=body)
|
||||
# The deprecated action is being enforced since the rule that is
|
||||
# configured is different than the default rule
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % default_flavor_policy,
|
||||
exc.format_message())
|
||||
mock_warning.assert_called_with("Start using the new action "
|
||||
"'%(new_policy)s'. The existing action '%(old_policy)s' is being "
|
||||
"deprecated and will be removed in future release.",
|
||||
{'new_policy': create_flavor_policy,
|
||||
'old_policy': default_flavor_policy})
|
||||
|
||||
@mock.patch.object(policy.LOG, 'warning')
|
||||
def test_delete_policy_rbac_inherit_default(self, mock_warning):
|
||||
"""Test to verify inherited rule is working. The rule of the
|
||||
deprecated action is not set to the default, so the deprecated
|
||||
action is being enforced
|
||||
"""
|
||||
|
||||
default_flavor_policy = "os_compute_api:os-flavor-manage"
|
||||
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
|
||||
delete_flavor_policy = "os_compute_api:os-flavor-manage:delete"
|
||||
rules = {default_flavor_policy: 'is_admin:True',
|
||||
create_flavor_policy: 'rule:%s' % default_flavor_policy,
|
||||
delete_flavor_policy: 'rule:%s' % default_flavor_policy}
|
||||
self.policy.set_rules(rules)
|
||||
body = {
|
||||
"flavor": {
|
||||
"name": "azAZ09. -_",
|
||||
"ram": 512,
|
||||
"vcpus": 2,
|
||||
"disk": 1,
|
||||
"OS-FLV-EXT-DATA:ephemeral": 1,
|
||||
"id": six.text_type('1234'),
|
||||
"swap": 512,
|
||||
"rxtx_factor": 1,
|
||||
"os-flavor-access:is_public": True,
|
||||
}
|
||||
}
|
||||
self.flavor = self.controller._create(self.adm_req, body=body)
|
||||
mock_warning.assert_called_once_with("Start using the new "
|
||||
"action '%(new_policy)s'. The existing action '%(old_policy)s' "
|
||||
"is being deprecated and will be removed in future release.",
|
||||
{'new_policy': create_flavor_policy,
|
||||
'old_policy': default_flavor_policy})
|
||||
# check for success as admin
|
||||
flavor = self.flavor
|
||||
self.controller._delete(self.adm_req, flavor['flavor']['id'])
|
||||
# check for failure as non-admin
|
||||
flavor = self.flavor
|
||||
exc = self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.controller._delete, self.req,
|
||||
flavor['flavor']['id'])
|
||||
# The deprecated action is being enforced since the rule that is
|
||||
# configured is different than the default rule
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % default_flavor_policy,
|
||||
exc.format_message())
|
||||
mock_warning.assert_called_with("Start using the new "
|
||||
"action '%(new_policy)s'. The existing action '%(old_policy)s' "
|
||||
"is being deprecated and will be removed in future release.",
|
||||
{'new_policy': delete_flavor_policy,
|
||||
'old_policy': default_flavor_policy})
|
||||
|
||||
def test_create_policy_rbac_no_change_to_default_action_rule(self):
|
||||
"""Test to verify the correct action is being enforced. When the
|
||||
rule configured for the deprecated action is the same as the
|
||||
default, the new action should be enforced.
|
||||
"""
|
||||
|
||||
default_flavor_policy = "os_compute_api:os-flavor-manage"
|
||||
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
|
||||
# The default rule of the deprecated action is admin_api
|
||||
rules = {default_flavor_policy: 'rule:admin_api',
|
||||
create_flavor_policy: 'rule:%s' % default_flavor_policy}
|
||||
self.policy.set_rules(rules)
|
||||
body = {
|
||||
"flavor": {
|
||||
"name": "azAZ09. -_",
|
||||
"ram": 512,
|
||||
"vcpus": 2,
|
||||
"disk": 1,
|
||||
"OS-FLV-EXT-DATA:ephemeral": 1,
|
||||
"id": six.text_type('1234'),
|
||||
"swap": 512,
|
||||
"rxtx_factor": 1,
|
||||
"os-flavor-access:is_public": True,
|
||||
}
|
||||
}
|
||||
exc = self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.controller._create, self.req,
|
||||
body=body)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % create_flavor_policy,
|
||||
exc.format_message())
|
||||
|
||||
def test_delete_policy_rbac_change_to_default_action_rule(self):
|
||||
"""Test to verify the correct action is being enforced. When the
|
||||
rule configured for the deprecated action is the same as the
|
||||
default, the new action should be enforced.
|
||||
"""
|
||||
|
||||
default_flavor_policy = "os_compute_api:os-flavor-manage"
|
||||
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
|
||||
delete_flavor_policy = "os_compute_api:os-flavor-manage:delete"
|
||||
# The default rule of the deprecated action is admin_api
|
||||
# Set the rule of the create flavor action to is_admin:True so that
|
||||
# admin context can be used to create a flavor
|
||||
rules = {default_flavor_policy: 'rule:admin_api',
|
||||
create_flavor_policy: 'is_admin:True',
|
||||
delete_flavor_policy: 'rule:%s' % default_flavor_policy}
|
||||
self.policy.set_rules(rules)
|
||||
body = {
|
||||
"flavor": {
|
||||
"name": "azAZ09. -_",
|
||||
"ram": 512,
|
||||
"vcpus": 2,
|
||||
"disk": 1,
|
||||
"OS-FLV-EXT-DATA:ephemeral": 1,
|
||||
"id": six.text_type('1234'),
|
||||
"swap": 512,
|
||||
"rxtx_factor": 1,
|
||||
"os-flavor-access:is_public": True,
|
||||
}
|
||||
}
|
||||
flavor = self.controller._create(self.adm_req, body=body)
|
||||
exc = self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.controller._delete, self.req,
|
||||
flavor['flavor']['id'])
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % delete_flavor_policy,
|
||||
exc.format_message())
|
||||
|
||||
def test_flavor_update_non_admin_fails(self):
|
||||
"""Tests that trying to update a flavor as a non-admin fails due
|
||||
to the default policy.
|
||||
|
|
|
@ -44,7 +44,6 @@ policy_data = """
|
|||
"os_compute_api:os-flavor-access:add_tenant_access": "",
|
||||
"os_compute_api:os-flavor-extra-specs:index": "",
|
||||
"os_compute_api:os-flavor-extra-specs:show": "",
|
||||
"os_compute_api:os-flavor-manage": "",
|
||||
"os_compute_api:os-flavor-manage:create": "",
|
||||
"os_compute_api:os-flavor-manage:delete": "",
|
||||
"os_compute_api:os-floating-ip-pools": "",
|
||||
|
|
|
@ -309,7 +309,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-flavor-extra-specs:create",
|
||||
"os_compute_api:os-flavor-extra-specs:update",
|
||||
"os_compute_api:os-flavor-extra-specs:delete",
|
||||
"os_compute_api:os-flavor-manage",
|
||||
"os_compute_api:os-flavor-manage:create",
|
||||
"os_compute_api:os-flavor-manage:update",
|
||||
"os_compute_api:os-flavor-manage:delete",
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The ``os_compute_api:os-flavor-manage`` policy has been removed
|
||||
because it has been deprecated since 16.0.0.
|
||||
Use the following policies instead:
|
||||
|
||||
* ``os_compute_api:os-flavor-manage:create``
|
||||
* ``os_compute_api:os-flavor-manage:delete``
|
Loading…
Reference in New Issue