From c26fc5da048bb1751bb6401dbdb8839f89d82c1e Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 1 Apr 2020 19:55:43 -0500 Subject: [PATCH] Introduce scope_types in server diagnostics oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for server diagnostics API policies as 'system' and 'project' but we will keep default as SYSTEM_ADMIN only. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Ie1749d4f85b8bdc4110f57c9a33e54e9551cb7e3 --- nova/policies/server_diagnostics.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/nova/policies/server_diagnostics.py b/nova/policies/server_diagnostics.py index 1cefd4e209f3..b18a66e74819 100644 --- a/nova/policies/server_diagnostics.py +++ b/nova/policies/server_diagnostics.py @@ -23,15 +23,16 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics' server_diagnostics_policies = [ policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - "Show the usage data for a server", - [ + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API, + description="Show the usage data for a server", + operations=[ { 'method': 'GET', 'path': '/servers/{server_id}/diagnostics' } - ]), + ], + scope_types=['system', 'project']), ]