diff --git a/doc/source/admin/flavors.rst b/doc/source/admin/flavors.rst index cb3d92f5fe91..17570483de7f 100644 --- a/doc/source/admin/flavors.rst +++ b/doc/source/admin/flavors.rst @@ -19,8 +19,10 @@ manage flavors. To see information for this command, run: .. note:: Configuration rights can be delegated to additional users by redefining - the access controls for ``os_compute_api:os-flavor-manage`` in - ``/etc/nova/policy.json`` on the ``nova-api`` server. + the access controls for ``os_compute_api:os-flavor-manage:create``, + ``os_compute_api:os-flavor-manage:update`` and + ``os_compute_api:os-flavor-manage:delete`` in ``/etc/nova/policy.json`` + on the ``nova-api`` server. .. note:: diff --git a/nova/api/openstack/compute/flavor_manage.py b/nova/api/openstack/compute/flavor_manage.py index bd199c6b6898..5706bf76ee07 100644 --- a/nova/api/openstack/compute/flavor_manage.py +++ b/nova/api/openstack/compute/flavor_manage.py @@ -20,10 +20,8 @@ from nova.api import validation from nova.compute import flavors from nova import exception from nova import objects -from nova.policies import base from nova.policies import flavor_extra_specs as fes_policies from nova.policies import flavor_manage as fm_policies -from nova import policy ALIAS = "os-flavor-manage" @@ -44,15 +42,7 @@ class FlavorManageController(wsgi.Controller): @wsgi.action("delete") def _delete(self, req, id): context = req.environ['nova.context'] - # TODO(rb560u): remove this check in future release - using_old_action = \ - policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME, - fm_policies.POLICY_ROOT % 'delete', - base.RULE_ADMIN_API, - context) - - if not using_old_action: - context.can(fm_policies.POLICY_ROOT % 'delete') + context.can(fm_policies.POLICY_ROOT % 'delete') flavor = objects.Flavor(context=context, flavorid=id) try: @@ -70,15 +60,7 @@ class FlavorManageController(wsgi.Controller): flavors_view.FLAVOR_DESCRIPTION_MICROVERSION) def _create(self, req, body): context = req.environ['nova.context'] - # TODO(rb560u): remove this check in future release - using_old_action = \ - policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME, - fm_policies.POLICY_ROOT % 'create', - base.RULE_ADMIN_API, - context) - - if not using_old_action: - context.can(fm_policies.POLICY_ROOT % 'create') + context.can(fm_policies.POLICY_ROOT % 'create') vals = body['flavor'] diff --git a/nova/policies/flavor_manage.py b/nova/policies/flavor_manage.py index f91f26e71573..0b69598f5098 100644 --- a/nova/policies/flavor_manage.py +++ b/nova/policies/flavor_manage.py @@ -19,32 +19,13 @@ from oslo_policy import policy from nova.policies import base -BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage' POLICY_ROOT = 'os_compute_api:os-flavor-manage:%s' -BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME flavor_manage_policies = [ - # TODO(rb560u): remove this rule in future release - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - "Create and delete Flavors. Deprecated in Pike and will be " - "removed in future release", - [ - { - 'method': 'POST', - 'path': '/flavors' - }, - { - 'method': 'DELETE', - 'path': '/flavors/{flavor_id}' - }, - - ]), policy.DocumentedRuleDefault( POLICY_ROOT % 'create', - BASE_POLICY_RULE, + base.RULE_ADMIN_API, "Create a flavor", [ { @@ -64,7 +45,7 @@ flavor_manage_policies = [ ]), policy.DocumentedRuleDefault( POLICY_ROOT % 'delete', - BASE_POLICY_RULE, + base.RULE_ADMIN_API, "Delete a flavor", [ { diff --git a/nova/tests/unit/api/openstack/compute/test_flavor_manage.py b/nova/tests/unit/api/openstack/compute/test_flavor_manage.py index 36bf1f3a88d1..17119675fce3 100644 --- a/nova/tests/unit/api/openstack/compute/test_flavor_manage.py +++ b/nova/tests/unit/api/openstack/compute/test_flavor_manage.py @@ -25,7 +25,6 @@ from nova.compute import flavors from nova.db import api as db from nova import exception from nova import objects -from nova import policy from nova import test from nova.tests.unit.api.openstack import fakes @@ -494,7 +493,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase): self.req = fakes.HTTPRequest.blank('') def test_create_policy_failed(self): - rule_name = "os_compute_api:os-flavor-manage" + rule_name = "os_compute_api:os-flavor-manage:create" self.policy.set_rules({rule_name: "project:non_fake"}) exc = self.assertRaises( exception.PolicyNotAuthorized, @@ -514,7 +513,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase): exc.format_message()) def test_delete_policy_failed(self): - rule_name = "os_compute_api:os-flavor-manage" + rule_name = "os_compute_api:os-flavor-manage:delete" self.policy.set_rules({rule_name: "project:non_fake"}) exc = self.assertRaises( exception.PolicyNotAuthorized, @@ -526,170 +525,6 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase): "Policy doesn't allow %s to be performed." % rule_name, exc.format_message()) - @mock.patch.object(policy.LOG, 'warning') - def test_create_policy_rbac_inherit_default(self, mock_warning): - """Test to verify inherited rule is working. The rule of the - deprecated action is not set to the default, so the deprecated - action is being enforced - """ - - default_flavor_policy = "os_compute_api:os-flavor-manage" - create_flavor_policy = "os_compute_api:os-flavor-manage:create" - rules = {default_flavor_policy: 'is_admin:True', - create_flavor_policy: 'rule:%s' % default_flavor_policy, - "os_compute_api:os-flavor-access": "project:non_fake"} - self.policy.set_rules(rules) - body = { - "flavor": { - "name": "azAZ09. -_", - "ram": 512, - "vcpus": 2, - "disk": 1, - "OS-FLV-EXT-DATA:ephemeral": 1, - "id": six.text_type('1234'), - "swap": 512, - "rxtx_factor": 1, - "os-flavor-access:is_public": True, - } - } - # check for success as admin - self.controller._create(self.adm_req, body=body) - # check for failure as non-admin - exc = self.assertRaises(exception.PolicyNotAuthorized, - self.controller._create, self.req, - body=body) - # The deprecated action is being enforced since the rule that is - # configured is different than the default rule - self.assertEqual( - "Policy doesn't allow %s to be performed." % default_flavor_policy, - exc.format_message()) - mock_warning.assert_called_with("Start using the new action " - "'%(new_policy)s'. The existing action '%(old_policy)s' is being " - "deprecated and will be removed in future release.", - {'new_policy': create_flavor_policy, - 'old_policy': default_flavor_policy}) - - @mock.patch.object(policy.LOG, 'warning') - def test_delete_policy_rbac_inherit_default(self, mock_warning): - """Test to verify inherited rule is working. The rule of the - deprecated action is not set to the default, so the deprecated - action is being enforced - """ - - default_flavor_policy = "os_compute_api:os-flavor-manage" - create_flavor_policy = "os_compute_api:os-flavor-manage:create" - delete_flavor_policy = "os_compute_api:os-flavor-manage:delete" - rules = {default_flavor_policy: 'is_admin:True', - create_flavor_policy: 'rule:%s' % default_flavor_policy, - delete_flavor_policy: 'rule:%s' % default_flavor_policy} - self.policy.set_rules(rules) - body = { - "flavor": { - "name": "azAZ09. -_", - "ram": 512, - "vcpus": 2, - "disk": 1, - "OS-FLV-EXT-DATA:ephemeral": 1, - "id": six.text_type('1234'), - "swap": 512, - "rxtx_factor": 1, - "os-flavor-access:is_public": True, - } - } - self.flavor = self.controller._create(self.adm_req, body=body) - mock_warning.assert_called_once_with("Start using the new " - "action '%(new_policy)s'. The existing action '%(old_policy)s' " - "is being deprecated and will be removed in future release.", - {'new_policy': create_flavor_policy, - 'old_policy': default_flavor_policy}) - # check for success as admin - flavor = self.flavor - self.controller._delete(self.adm_req, flavor['flavor']['id']) - # check for failure as non-admin - flavor = self.flavor - exc = self.assertRaises(exception.PolicyNotAuthorized, - self.controller._delete, self.req, - flavor['flavor']['id']) - # The deprecated action is being enforced since the rule that is - # configured is different than the default rule - self.assertEqual( - "Policy doesn't allow %s to be performed." % default_flavor_policy, - exc.format_message()) - mock_warning.assert_called_with("Start using the new " - "action '%(new_policy)s'. The existing action '%(old_policy)s' " - "is being deprecated and will be removed in future release.", - {'new_policy': delete_flavor_policy, - 'old_policy': default_flavor_policy}) - - def test_create_policy_rbac_no_change_to_default_action_rule(self): - """Test to verify the correct action is being enforced. When the - rule configured for the deprecated action is the same as the - default, the new action should be enforced. - """ - - default_flavor_policy = "os_compute_api:os-flavor-manage" - create_flavor_policy = "os_compute_api:os-flavor-manage:create" - # The default rule of the deprecated action is admin_api - rules = {default_flavor_policy: 'rule:admin_api', - create_flavor_policy: 'rule:%s' % default_flavor_policy} - self.policy.set_rules(rules) - body = { - "flavor": { - "name": "azAZ09. -_", - "ram": 512, - "vcpus": 2, - "disk": 1, - "OS-FLV-EXT-DATA:ephemeral": 1, - "id": six.text_type('1234'), - "swap": 512, - "rxtx_factor": 1, - "os-flavor-access:is_public": True, - } - } - exc = self.assertRaises(exception.PolicyNotAuthorized, - self.controller._create, self.req, - body=body) - self.assertEqual( - "Policy doesn't allow %s to be performed." % create_flavor_policy, - exc.format_message()) - - def test_delete_policy_rbac_change_to_default_action_rule(self): - """Test to verify the correct action is being enforced. When the - rule configured for the deprecated action is the same as the - default, the new action should be enforced. - """ - - default_flavor_policy = "os_compute_api:os-flavor-manage" - create_flavor_policy = "os_compute_api:os-flavor-manage:create" - delete_flavor_policy = "os_compute_api:os-flavor-manage:delete" - # The default rule of the deprecated action is admin_api - # Set the rule of the create flavor action to is_admin:True so that - # admin context can be used to create a flavor - rules = {default_flavor_policy: 'rule:admin_api', - create_flavor_policy: 'is_admin:True', - delete_flavor_policy: 'rule:%s' % default_flavor_policy} - self.policy.set_rules(rules) - body = { - "flavor": { - "name": "azAZ09. -_", - "ram": 512, - "vcpus": 2, - "disk": 1, - "OS-FLV-EXT-DATA:ephemeral": 1, - "id": six.text_type('1234'), - "swap": 512, - "rxtx_factor": 1, - "os-flavor-access:is_public": True, - } - } - flavor = self.controller._create(self.adm_req, body=body) - exc = self.assertRaises(exception.PolicyNotAuthorized, - self.controller._delete, self.req, - flavor['flavor']['id']) - self.assertEqual( - "Policy doesn't allow %s to be performed." % delete_flavor_policy, - exc.format_message()) - def test_flavor_update_non_admin_fails(self): """Tests that trying to update a flavor as a non-admin fails due to the default policy. diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py index ab4dbb94a3b1..37856a59d5c2 100644 --- a/nova/tests/unit/fake_policy.py +++ b/nova/tests/unit/fake_policy.py @@ -44,7 +44,6 @@ policy_data = """ "os_compute_api:os-flavor-access:add_tenant_access": "", "os_compute_api:os-flavor-extra-specs:index": "", "os_compute_api:os-flavor-extra-specs:show": "", - "os_compute_api:os-flavor-manage": "", "os_compute_api:os-flavor-manage:create": "", "os_compute_api:os-flavor-manage:delete": "", "os_compute_api:os-floating-ip-pools": "", diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index 542281de1c9f..5d00831c477f 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -309,7 +309,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-flavor-extra-specs:create", "os_compute_api:os-flavor-extra-specs:update", "os_compute_api:os-flavor-extra-specs:delete", -"os_compute_api:os-flavor-manage", "os_compute_api:os-flavor-manage:create", "os_compute_api:os-flavor-manage:update", "os_compute_api:os-flavor-manage:delete", diff --git a/releasenotes/notes/remove-deprecated-os-flavor-manage-policy-138296853d957c5f.yaml b/releasenotes/notes/remove-deprecated-os-flavor-manage-policy-138296853d957c5f.yaml new file mode 100644 index 000000000000..af0b48c7229c --- /dev/null +++ b/releasenotes/notes/remove-deprecated-os-flavor-manage-policy-138296853d957c5f.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The ``os_compute_api:os-flavor-manage`` policy has been removed + because it has been deprecated since 16.0.0. + Use the following policies instead: + + * ``os_compute_api:os-flavor-manage:create`` + * ``os_compute_api:os-flavor-manage:delete``