Remove deprecated 'os-flavor-manage' policy

Remove the 'os_compute_api:os-flavor-manage' policy.
The 'os_compute_api:os-flavor-manage' policy has been deprecated
since 16.0.0 Pike.
The policy has been replaced with the following policies.

- os_compute_api:os-flavor-manage:create
- os_compute_api:os-flavor-manage:delete

Change-Id: I856498dfcebfa330598a22dd7c660bd6f158351b
This commit is contained in:
Takashi NATSUME 2019-01-29 14:06:23 +09:00 committed by Matt Riedemann
parent bcc4d233ef
commit dedeff70a7
7 changed files with 19 additions and 212 deletions

View File

@ -19,8 +19,10 @@ manage flavors. To see information for this command, run:
.. note::
Configuration rights can be delegated to additional users by redefining
the access controls for ``os_compute_api:os-flavor-manage`` in
``/etc/nova/policy.json`` on the ``nova-api`` server.
the access controls for ``os_compute_api:os-flavor-manage:create``,
``os_compute_api:os-flavor-manage:update`` and
``os_compute_api:os-flavor-manage:delete`` in ``/etc/nova/policy.json``
on the ``nova-api`` server.
.. note::

View File

@ -20,10 +20,8 @@ from nova.api import validation
from nova.compute import flavors
from nova import exception
from nova import objects
from nova.policies import base
from nova.policies import flavor_extra_specs as fes_policies
from nova.policies import flavor_manage as fm_policies
from nova import policy
ALIAS = "os-flavor-manage"
@ -44,15 +42,7 @@ class FlavorManageController(wsgi.Controller):
@wsgi.action("delete")
def _delete(self, req, id):
context = req.environ['nova.context']
# TODO(rb560u): remove this check in future release
using_old_action = \
policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME,
fm_policies.POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
context)
if not using_old_action:
context.can(fm_policies.POLICY_ROOT % 'delete')
context.can(fm_policies.POLICY_ROOT % 'delete')
flavor = objects.Flavor(context=context, flavorid=id)
try:
@ -70,15 +60,7 @@ class FlavorManageController(wsgi.Controller):
flavors_view.FLAVOR_DESCRIPTION_MICROVERSION)
def _create(self, req, body):
context = req.environ['nova.context']
# TODO(rb560u): remove this check in future release
using_old_action = \
policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME,
fm_policies.POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
context)
if not using_old_action:
context.can(fm_policies.POLICY_ROOT % 'create')
context.can(fm_policies.POLICY_ROOT % 'create')
vals = body['flavor']

View File

@ -19,32 +19,13 @@ from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
POLICY_ROOT = 'os_compute_api:os-flavor-manage:%s'
BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME
flavor_manage_policies = [
# TODO(rb560u): remove this rule in future release
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Create and delete Flavors. Deprecated in Pike and will be "
"removed in future release",
[
{
'method': 'POST',
'path': '/flavors'
},
{
'method': 'DELETE',
'path': '/flavors/{flavor_id}'
},
]),
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
BASE_POLICY_RULE,
base.RULE_ADMIN_API,
"Create a flavor",
[
{
@ -64,7 +45,7 @@ flavor_manage_policies = [
]),
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
BASE_POLICY_RULE,
base.RULE_ADMIN_API,
"Delete a flavor",
[
{

View File

@ -25,7 +25,6 @@ from nova.compute import flavors
from nova.db import api as db
from nova import exception
from nova import objects
from nova import policy
from nova import test
from nova.tests.unit.api.openstack import fakes
@ -494,7 +493,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
self.req = fakes.HTTPRequest.blank('')
def test_create_policy_failed(self):
rule_name = "os_compute_api:os-flavor-manage"
rule_name = "os_compute_api:os-flavor-manage:create"
self.policy.set_rules({rule_name: "project:non_fake"})
exc = self.assertRaises(
exception.PolicyNotAuthorized,
@ -514,7 +513,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
exc.format_message())
def test_delete_policy_failed(self):
rule_name = "os_compute_api:os-flavor-manage"
rule_name = "os_compute_api:os-flavor-manage:delete"
self.policy.set_rules({rule_name: "project:non_fake"})
exc = self.assertRaises(
exception.PolicyNotAuthorized,
@ -526,170 +525,6 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
"Policy doesn't allow %s to be performed." % rule_name,
exc.format_message())
@mock.patch.object(policy.LOG, 'warning')
def test_create_policy_rbac_inherit_default(self, mock_warning):
"""Test to verify inherited rule is working. The rule of the
deprecated action is not set to the default, so the deprecated
action is being enforced
"""
default_flavor_policy = "os_compute_api:os-flavor-manage"
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
rules = {default_flavor_policy: 'is_admin:True',
create_flavor_policy: 'rule:%s' % default_flavor_policy,
"os_compute_api:os-flavor-access": "project:non_fake"}
self.policy.set_rules(rules)
body = {
"flavor": {
"name": "azAZ09. -_",
"ram": 512,
"vcpus": 2,
"disk": 1,
"OS-FLV-EXT-DATA:ephemeral": 1,
"id": six.text_type('1234'),
"swap": 512,
"rxtx_factor": 1,
"os-flavor-access:is_public": True,
}
}
# check for success as admin
self.controller._create(self.adm_req, body=body)
# check for failure as non-admin
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._create, self.req,
body=body)
# The deprecated action is being enforced since the rule that is
# configured is different than the default rule
self.assertEqual(
"Policy doesn't allow %s to be performed." % default_flavor_policy,
exc.format_message())
mock_warning.assert_called_with("Start using the new action "
"'%(new_policy)s'. The existing action '%(old_policy)s' is being "
"deprecated and will be removed in future release.",
{'new_policy': create_flavor_policy,
'old_policy': default_flavor_policy})
@mock.patch.object(policy.LOG, 'warning')
def test_delete_policy_rbac_inherit_default(self, mock_warning):
"""Test to verify inherited rule is working. The rule of the
deprecated action is not set to the default, so the deprecated
action is being enforced
"""
default_flavor_policy = "os_compute_api:os-flavor-manage"
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
delete_flavor_policy = "os_compute_api:os-flavor-manage:delete"
rules = {default_flavor_policy: 'is_admin:True',
create_flavor_policy: 'rule:%s' % default_flavor_policy,
delete_flavor_policy: 'rule:%s' % default_flavor_policy}
self.policy.set_rules(rules)
body = {
"flavor": {
"name": "azAZ09. -_",
"ram": 512,
"vcpus": 2,
"disk": 1,
"OS-FLV-EXT-DATA:ephemeral": 1,
"id": six.text_type('1234'),
"swap": 512,
"rxtx_factor": 1,
"os-flavor-access:is_public": True,
}
}
self.flavor = self.controller._create(self.adm_req, body=body)
mock_warning.assert_called_once_with("Start using the new "
"action '%(new_policy)s'. The existing action '%(old_policy)s' "
"is being deprecated and will be removed in future release.",
{'new_policy': create_flavor_policy,
'old_policy': default_flavor_policy})
# check for success as admin
flavor = self.flavor
self.controller._delete(self.adm_req, flavor['flavor']['id'])
# check for failure as non-admin
flavor = self.flavor
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._delete, self.req,
flavor['flavor']['id'])
# The deprecated action is being enforced since the rule that is
# configured is different than the default rule
self.assertEqual(
"Policy doesn't allow %s to be performed." % default_flavor_policy,
exc.format_message())
mock_warning.assert_called_with("Start using the new "
"action '%(new_policy)s'. The existing action '%(old_policy)s' "
"is being deprecated and will be removed in future release.",
{'new_policy': delete_flavor_policy,
'old_policy': default_flavor_policy})
def test_create_policy_rbac_no_change_to_default_action_rule(self):
"""Test to verify the correct action is being enforced. When the
rule configured for the deprecated action is the same as the
default, the new action should be enforced.
"""
default_flavor_policy = "os_compute_api:os-flavor-manage"
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
# The default rule of the deprecated action is admin_api
rules = {default_flavor_policy: 'rule:admin_api',
create_flavor_policy: 'rule:%s' % default_flavor_policy}
self.policy.set_rules(rules)
body = {
"flavor": {
"name": "azAZ09. -_",
"ram": 512,
"vcpus": 2,
"disk": 1,
"OS-FLV-EXT-DATA:ephemeral": 1,
"id": six.text_type('1234'),
"swap": 512,
"rxtx_factor": 1,
"os-flavor-access:is_public": True,
}
}
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._create, self.req,
body=body)
self.assertEqual(
"Policy doesn't allow %s to be performed." % create_flavor_policy,
exc.format_message())
def test_delete_policy_rbac_change_to_default_action_rule(self):
"""Test to verify the correct action is being enforced. When the
rule configured for the deprecated action is the same as the
default, the new action should be enforced.
"""
default_flavor_policy = "os_compute_api:os-flavor-manage"
create_flavor_policy = "os_compute_api:os-flavor-manage:create"
delete_flavor_policy = "os_compute_api:os-flavor-manage:delete"
# The default rule of the deprecated action is admin_api
# Set the rule of the create flavor action to is_admin:True so that
# admin context can be used to create a flavor
rules = {default_flavor_policy: 'rule:admin_api',
create_flavor_policy: 'is_admin:True',
delete_flavor_policy: 'rule:%s' % default_flavor_policy}
self.policy.set_rules(rules)
body = {
"flavor": {
"name": "azAZ09. -_",
"ram": 512,
"vcpus": 2,
"disk": 1,
"OS-FLV-EXT-DATA:ephemeral": 1,
"id": six.text_type('1234'),
"swap": 512,
"rxtx_factor": 1,
"os-flavor-access:is_public": True,
}
}
flavor = self.controller._create(self.adm_req, body=body)
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._delete, self.req,
flavor['flavor']['id'])
self.assertEqual(
"Policy doesn't allow %s to be performed." % delete_flavor_policy,
exc.format_message())
def test_flavor_update_non_admin_fails(self):
"""Tests that trying to update a flavor as a non-admin fails due
to the default policy.

View File

@ -44,7 +44,6 @@ policy_data = """
"os_compute_api:os-flavor-access:add_tenant_access": "",
"os_compute_api:os-flavor-extra-specs:index": "",
"os_compute_api:os-flavor-extra-specs:show": "",
"os_compute_api:os-flavor-manage": "",
"os_compute_api:os-flavor-manage:create": "",
"os_compute_api:os-flavor-manage:delete": "",
"os_compute_api:os-floating-ip-pools": "",

View File

@ -309,7 +309,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-flavor-extra-specs:create",
"os_compute_api:os-flavor-extra-specs:update",
"os_compute_api:os-flavor-extra-specs:delete",
"os_compute_api:os-flavor-manage",
"os_compute_api:os-flavor-manage:create",
"os_compute_api:os-flavor-manage:update",
"os_compute_api:os-flavor-manage:delete",

View File

@ -0,0 +1,9 @@
---
upgrade:
- |
The ``os_compute_api:os-flavor-manage`` policy has been removed
because it has been deprecated since 16.0.0.
Use the following policies instead:
* ``os_compute_api:os-flavor-manage:create``
* ``os_compute_api:os-flavor-manage:delete``