Introduce scope_types in rescue server policy
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for rescue server API policies as: - ['system', 'project'] for rescue/unrescue policy even for unlock server locked by other policy so that operators have option to add few project scoped role like admin to these operation. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Idf60a3d9aff3607739d2d3d2ff5d20877a477782
This commit is contained in:
parent
e3ccd91c3c
commit
aefea9218e
|
@ -23,10 +23,10 @@ BASE_POLICY_NAME = 'os_compute_api:os-rescue'
|
|||
|
||||
rescue_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
BASE_POLICY_NAME,
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"Rescue/unrescue a server",
|
||||
[
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Rescue/unrescue a server",
|
||||
operations=[
|
||||
{
|
||||
'path': '/servers/{server_id}/action (rescue)',
|
||||
'method': 'POST'
|
||||
|
@ -35,7 +35,8 @@ rescue_policies = [
|
|||
'path': '/servers/{server_id}/action (unrescue)',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
scope_types=['system', 'project']
|
||||
),
|
||||
]
|
||||
|
||||
|
|
Loading…
Reference in New Issue