Add new default roles in server tags policies

This adds new defaults roles in server metadata API policies - to system admin or project member for update and delete. - to system and project reader for get Also add tests to simulates the future where we drop the deprecation fall back in the policy by overriding the rules with a version where there are no deprecated rule options. Operators can do the same by adding overrides in their policy files that match the default but stop the rule deprecation fallback from happening. Partial implement blueprint policy-defaults-refresh Change-Id: Id81e617f089f7f7d654e6df6a106ea9d5100b9f6
2020-04-07 00:27:17 -05:00 · 2020-04-07 00:27:17 -05:00 · e8c47191b6
parent b216cffd15
commit e8c47191b6
3 changed files with 64 additions and 12 deletions
--- a/nova/policies/server_tags.py
+++ b/nova/policies/server_tags.py
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
 server_tags_policies = [
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'delete_all',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Delete all the server tags",
        operations=[
            {
@ -35,7 +35,7 @@ server_tags_policies = [
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'index',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
        description="List all tags for given server",
        operations=[
            {
@ -46,7 +46,7 @@ server_tags_policies = [
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'update_all',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Replace all tags on specified server with the new set "
        "of tags.",
        operations=[
@ -59,7 +59,7 @@ server_tags_policies = [
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'delete',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Delete a single tag from the specified server",
        operations=[
            {
@ -71,7 +71,7 @@ server_tags_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'update',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="Add a single tag to the server if server has no "
        "specified tag",
        operations=[
@ -84,7 +84,7 @@ server_tags_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'show',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
        description="Check tag existence on the server.",
        operations=[
            {
--- a/nova/tests/unit/policies/test_server_tags.py
+++ b/nova/tests/unit/policies/test_server_tags.py
@ -64,12 +64,25 @@ class ServerTagsPolicyTest(base.BasePolicyTest):
            self.system_foo_context, self.other_project_member_context,
            self.other_project_reader_context
        ]
+        # Check that reader or and server owner is able to perform operations
+        # on server tags.
+        self.reader_or_owner_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context]
+        # Check that non-reader/owner is not able to perform operations
+        # on server tags.
+        self.reader_or_owner_unauthorized_contexts = [
+            self.system_foo_context, self.other_project_member_context,
+            self.other_project_reader_context
+        ]

    @mock.patch('nova.objects.TagList.get_by_resource_id')
    def test_index_server_tags_policy(self, mock_tag):
        rule_name = policies.POLICY_ROOT % 'index'
-        self.common_policy_check(self.admin_or_owner_authorized_contexts,
-                                 self.admin_or_owner_unauthorized_contexts,
+        self.common_policy_check(self.reader_or_owner_authorized_contexts,
+                                 self.reader_or_owner_unauthorized_contexts,
                                 rule_name,
                                 self.controller.index,
                                 self.req, self.instance.uuid)
@ -77,8 +90,8 @@ class ServerTagsPolicyTest(base.BasePolicyTest):
    @mock.patch('nova.objects.Tag.exists')
    def test_show_server_tags_policy(self, mock_exists):
        rule_name = policies.POLICY_ROOT % 'show'
-        self.common_policy_check(self.admin_or_owner_authorized_contexts,
-                                 self.admin_or_owner_unauthorized_contexts,
+        self.common_policy_check(self.reader_or_owner_authorized_contexts,
+                                 self.reader_or_owner_unauthorized_contexts,
                                 rule_name,
                                 self.controller.show,
                                 self.req, self.instance.uuid, uuids.fake_id)
@ -143,3 +156,42 @@ class ServerTagsScopeTypePolicyTest(ServerTagsPolicyTest):
    def setUp(self):
        super(ServerTagsScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class ServerTagsNoLegacyPolicyTest(ServerTagsScopeTypePolicyTest):
+    """Test Server Tags APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ServerTagsNoLegacyPolicyTest, self).setUp()
+        # Check that system admin or project member is able to
+        # perform operations on server tags.
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context, self.project_admin_context,
+            self.project_member_context]
+        # Check that non-system/admin/member is not able to
+        # perform operations on server tags.
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_reader_context,
+            self.system_foo_context, self.system_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context,
+            self.other_project_reader_context
+        ]
+        # Check that system reader or owner is able to
+        # perform operations on server tags.
+        self.reader_or_owner_authorized_contexts = [
+            self.system_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context]
+        # Check that non-system/reader/owner is not able to
+        # perform operations on server tags.
+        self.reader_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_foo_context,
+            self.project_foo_context, self.other_project_member_context,
+            self.other_project_reader_context
+        ]
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@ -435,8 +435,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-server-password",
 "os_compute_api:os-server-tags:delete",
 "os_compute_api:os-server-tags:delete_all",
-"os_compute_api:os-server-tags:index",
-"os_compute_api:os-server-tags:show",
 "os_compute_api:os-server-tags:update",
 "os_compute_api:os-server-tags:update_all",
 "os_compute_api:os-server-groups:index",
@ -480,6 +478,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-attach-interfaces:show",
 "os_compute_api:os-instance-actions:list",
 "os_compute_api:os-instance-actions:show",
+"os_compute_api:os-server-tags:index",
+"os_compute_api:os-server-tags:show",
 )

        self.allow_nobody_rules = (