Introduce scope_types in rescue server policy

oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for rescue server API policies as: - ['system', 'project'] for rescue/unrescue policy even for unlock server locked by other policy so that operators have option to add few project scoped role like admin to these operation. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Idf60a3d9aff3607739d2d3d2ff5d20877a477782
2020-04-01 01:07:03 -05:00 · 2020-04-01 01:07:03 -05:00 · aefea9218e
parent e3ccd91c3c
commit aefea9218e
1 changed files with 6 additions and 5 deletions
--- a/nova/policies/rescue.py
+++ b/nova/policies/rescue.py
@ -23,10 +23,10 @@ BASE_POLICY_NAME = 'os_compute_api:os-rescue'

 rescue_policies = [
    policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_OR_OWNER,
-        "Rescue/unrescue a server",
-        [
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Rescue/unrescue a server",
+        operations=[
            {
                'path': '/servers/{server_id}/action (rescue)',
                'method': 'POST'
@ -35,7 +35,8 @@ rescue_policies = [
                'path': '/servers/{server_id}/action (unrescue)',
                'method': 'POST'
            }
-        ]
+        ],
+        scope_types=['system', 'project']
    ),
 ]