Merge "Remove the deprecated API extensions policies"

This commit is contained in:
Zuul 2018-08-19 07:22:28 +00:00 committed by Gerrit Code Review
commit c587a85acd
25 changed files with 90 additions and 741 deletions

View File

@ -16,7 +16,6 @@
"""Config Drive extension."""
from nova.api.openstack import wsgi
from nova.policies import config_drive as cd_policies
ATTRIBUTE_NAME = "config_drive"
@ -37,14 +36,10 @@ class ConfigDriveController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if context.can(cd_policies.BASE_POLICY_NAME, fatal=False):
self._show(req, resp_obj)
self._show(req, resp_obj)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if 'servers' in resp_obj.obj and context.can(
cd_policies.BASE_POLICY_NAME, fatal=False):
if 'servers' in resp_obj.obj:
servers = resp_obj.obj['servers']
self._add_config_drive(req, servers)

View File

@ -17,7 +17,6 @@
from nova.api.openstack import wsgi
from nova import availability_zones as avail_zone
from nova.policies import extended_availability_zone as eaz_policies
PREFIX = "OS-EXT-AZ"
@ -34,16 +33,14 @@ class ExtendedAZController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if context.can(eaz_policies.BASE_POLICY_NAME, fatal=False):
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
self._extend_server(context, server, db_instance)
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
self._extend_server(context, server, db_instance)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if context.can(eaz_policies.BASE_POLICY_NAME, fatal=False):
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])
self._extend_server(context, server, db_instance)
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])
self._extend_server(context, server, db_instance)

View File

@ -15,7 +15,6 @@
"""The Extended Status Admin API extension."""
from nova.api.openstack import wsgi
from nova.policies import extended_status as es_policies
class ExtendedStatusController(wsgi.Controller):
@ -32,21 +31,17 @@ class ExtendedStatusController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if context.can(es_policies.BASE_POLICY_NAME, fatal=False):
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'show' method.
self._extend_server(server, db_instance)
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'show' method.
self._extend_server(server, db_instance)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if context.can(es_policies.BASE_POLICY_NAME, fatal=False):
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'detail' method.
self._extend_server(server, db_instance)
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'detail' method.
self._extend_server(server, db_instance)

View File

@ -19,13 +19,12 @@ from nova.api.openstack import api_version_request
from nova.api.openstack import wsgi
from nova import context
from nova import objects
from nova.policies import extended_volumes as ev_policies
LOG = logging.getLogger(__name__)
class ExtendedVolumesController(wsgi.Controller):
def _extend_server(self, context, server, req, bdms):
def _extend_server(self, server, req, bdms):
volumes_attached = []
for bdm in bdms:
if bdm.get('volume_id'):
@ -43,12 +42,11 @@ class ExtendedVolumesController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if context.can(ev_policies.BASE_POLICY_NAME, fatal=False):
server = resp_obj.obj['server']
bdms = objects.BlockDeviceMappingList.bdms_by_instance_uuid(
context, [server['id']])
instance_bdms = self._get_instance_bdms(bdms, server)
self._extend_server(context, server, req, instance_bdms)
server = resp_obj.obj['server']
bdms = objects.BlockDeviceMappingList.bdms_by_instance_uuid(
context, [server['id']])
instance_bdms = self._get_instance_bdms(bdms, server)
self._extend_server(server, req, instance_bdms)
@staticmethod
def _get_instance_bdms_in_multiple_cells(ctxt, servers):
@ -82,12 +80,11 @@ class ExtendedVolumesController(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if context.can(ev_policies.BASE_POLICY_NAME, fatal=False):
servers = list(resp_obj.obj['servers'])
bdms = self._get_instance_bdms_in_multiple_cells(context, servers)
for server in servers:
instance_bdms = self._get_instance_bdms(bdms, server)
self._extend_server(context, server, req, instance_bdms)
servers = list(resp_obj.obj['servers'])
bdms = self._get_instance_bdms_in_multiple_cells(context, servers)
for server in servers:
instance_bdms = self._get_instance_bdms(bdms, server)
self._extend_server(server, req, instance_bdms)
def _get_instance_bdms(self, bdms, server):
# server['id'] is guaranteed to be in the cache due to

View File

@ -14,7 +14,6 @@
# under the License.
from nova.api.openstack import wsgi
from nova.policies import image_size as is_policies
class ImageSizeController(wsgi.Controller):
@ -28,21 +27,17 @@ class ImageSizeController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ["nova.context"]
if context.can(is_policies.BASE_POLICY_NAME, fatal=False):
image_resp = resp_obj.obj['image']
# image guaranteed to be in the cache due to the core API adding
# it in its 'show' method
image_cached = req.get_db_item('images', image_resp['id'])
self._extend_image(image_resp, image_cached)
image_resp = resp_obj.obj['image']
# image guaranteed to be in the cache due to the core API adding
# it in its 'show' method
image_cached = req.get_db_item('images', image_resp['id'])
self._extend_image(image_resp, image_cached)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if context.can(is_policies.BASE_POLICY_NAME, fatal=False):
images_resp = list(resp_obj.obj['images'])
# images guaranteed to be in the cache due to the core API adding
# it in its 'detail' method
for image in images_resp:
image_cached = req.get_db_item('images', image['id'])
self._extend_image(image, image_cached)
images_resp = list(resp_obj.obj['images'])
# images guaranteed to be in the cache due to the core API adding
# it in its 'detail' method
for image in images_resp:
image_cached = req.get_db_item('images', image['id'])
self._extend_image(image, image_cached)

View File

@ -306,14 +306,10 @@ class Controller(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if context.can(kp_policies.BASE_POLICY_NAME, fatal=False):
self._show(req, resp_obj)
self._show(req, resp_obj)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if 'servers' in resp_obj.obj and context.can(
kp_policies.BASE_POLICY_NAME, fatal=False):
if 'servers' in resp_obj.obj:
servers = resp_obj.obj['servers']
self._add_key_name(req, servers)

View File

@ -490,9 +490,6 @@ class SecurityGroupsOutputController(wsgi.Controller):
return
key = "security_groups"
context = req.environ['nova.context']
if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False):
return
if not openstack_driver.is_neutron_security_groups():
for server in servers:
instance = req.get_db_instance(server['id'])

View File

@ -13,7 +13,6 @@
# under the License.
from nova.api.openstack import wsgi
from nova.policies import server_usage as su_policies
resp_topic = "OS-SRV-USG"
@ -33,21 +32,17 @@ class ServerUsageController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'show' method.
self._extend_server(server, db_instance)
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'show' method.
self._extend_server(server, db_instance)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'detail' method.
self._extend_server(server, db_instance)
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
# the core API adding it in its 'detail' method.
self._extend_server(server, db_instance)

View File

@ -15,8 +15,6 @@
from nova.api.openstack import api_version_request
from nova.api.openstack import common
from nova.policies import flavor_access as fa_policies
from nova.policies import flavor_rxtx as fr_policies
FLAVOR_DESCRIPTION_MICROVERSION = '2.55'
FLAVOR_EXTRA_SPECS_MICROVERSION = '2.61'
@ -27,12 +25,10 @@ class ViewBuilder(common.ViewBuilder):
_collection_name = "flavors"
def basic(self, request, flavor, include_description=False,
update_is_public=None, update_rxtx_factor=None,
include_extra_specs=False):
# include_extra_specs & update_is_public & update_rxtx_factor are
# placeholder param which are not used in this method as basic() method
# is used by index() (GET /flavors) which does not return those keys in
# response.
# include_extra_specs is placeholder param which is not used in
# this method as basic() method is used by index() (GET /flavors)
# which does not return those keys in response.
flavor_dict = {
"flavor": {
"id": flavor["flavorid"],
@ -49,7 +45,6 @@ class ViewBuilder(common.ViewBuilder):
return flavor_dict
def show(self, request, flavor, include_description=False,
update_is_public=None, update_rxtx_factor=None,
include_extra_specs=False):
flavor_dict = {
"flavor": {
@ -61,6 +56,8 @@ class ViewBuilder(common.ViewBuilder):
"OS-FLV-EXT-DATA:ephemeral": flavor["ephemeral_gb"],
"OS-FLV-DISABLED:disabled": flavor["disabled"],
"vcpus": flavor["vcpus"],
"os-flavor-access:is_public": flavor['is_public'],
"rxtx_factor": flavor['rxtx_factor'] or "",
"links": self._get_links(request,
flavor["flavorid"],
self._collection_name),
@ -73,26 +70,6 @@ class ViewBuilder(common.ViewBuilder):
if include_extra_specs:
flavor_dict['flavor']['extra_specs'] = flavor.extra_specs
# TODO(gmann): 'update_is_public' & 'update_rxtx_factor' are policies
# checks. Once os-flavor-access & os-flavor-rxtx policies are
# removed, 'os-flavor-access:is_public' and 'rxtx_factor' need to be
# added in response without any check.
# Evaluate the policies when using show method directly.
context = request.environ['nova.context']
if update_is_public is None:
update_is_public = context.can(fa_policies.BASE_POLICY_NAME,
fatal=False)
if update_rxtx_factor is None:
update_rxtx_factor = context.can(fr_policies.BASE_POLICY_NAME,
fatal=False)
if update_is_public:
flavor_dict['flavor'].update({
"os-flavor-access:is_public": flavor['is_public']})
if update_rxtx_factor:
flavor_dict['flavor'].update(
{"rxtx_factor": flavor['rxtx_factor'] or ""})
return flavor_dict
def index(self, request, flavors):
@ -108,20 +85,12 @@ class ViewBuilder(common.ViewBuilder):
coll_name = self._collection_name + '/detail'
include_description = api_version_request.is_supported(
request, FLAVOR_DESCRIPTION_MICROVERSION)
context = request.environ['nova.context']
update_is_public = context.can(fa_policies.BASE_POLICY_NAME,
fatal=False)
update_rxtx_factor = context.can(fr_policies.BASE_POLICY_NAME,
fatal=False)
return self._list_view(self.show, request, flavors, coll_name,
include_description=include_description,
update_is_public=update_is_public,
update_rxtx_factor=update_rxtx_factor,
include_extra_specs=include_extra_specs)
def _list_view(self, func, request, flavors, coll_name,
include_description=False, update_is_public=None,
update_rxtx_factor=None, include_extra_specs=False):
include_description=False, include_extra_specs=False):
"""Provide a view for a list of flavors.
:param func: Function used to format the flavor data
@ -131,17 +100,12 @@ class ViewBuilder(common.ViewBuilder):
for a pagination query
:param include_description: If the flavor.description should be
included in the response dict.
:param update_is_public: If the flavor.is_public field should be
included in the response dict.
:param update_rxtx_factor: If the flavor.rxtx_factor field should be
included in the response dict.
:param include_extra_specs: If the flavor.extra_specs should be
included in the response dict.
:returns: Flavor reply data in dictionary format
"""
flavor_list = [func(request, flavor, include_description,
update_is_public, update_rxtx_factor,
include_extra_specs)["flavor"]
for flavor in flavors]
flavors_links = self._get_collection_links(request,

View File

@ -24,29 +24,23 @@ from nova.policies import baremetal_nodes
from nova.policies import base
from nova.policies import cells
from nova.policies import cells_scheduler
from nova.policies import config_drive
from nova.policies import console_auth_tokens
from nova.policies import console_output
from nova.policies import consoles
from nova.policies import create_backup
from nova.policies import deferred_delete
from nova.policies import evacuate
from nova.policies import extended_availability_zone
from nova.policies import extended_server_attributes
from nova.policies import extended_status
from nova.policies import extended_volumes
from nova.policies import extensions
from nova.policies import flavor_access
from nova.policies import flavor_extra_specs
from nova.policies import flavor_manage
from nova.policies import flavor_rxtx
from nova.policies import flavors
from nova.policies import floating_ip_pools
from nova.policies import floating_ips
from nova.policies import hide_server_addresses
from nova.policies import hosts
from nova.policies import hypervisors
from nova.policies import image_size
from nova.policies import instance_actions
from nova.policies import instance_usage_audit_log
from nova.policies import ips
@ -71,7 +65,6 @@ from nova.policies import server_groups
from nova.policies import server_metadata
from nova.policies import server_password
from nova.policies import server_tags
from nova.policies import server_usage
from nova.policies import servers
from nova.policies import servers_migrations
from nova.policies import services
@ -97,29 +90,23 @@ def list_rules():
baremetal_nodes.list_rules(),
cells.list_rules(),
cells_scheduler.list_rules(),
config_drive.list_rules(),
console_auth_tokens.list_rules(),
console_output.list_rules(),
consoles.list_rules(),
create_backup.list_rules(),
deferred_delete.list_rules(),
evacuate.list_rules(),
extended_availability_zone.list_rules(),
extended_server_attributes.list_rules(),
extended_status.list_rules(),
extended_volumes.list_rules(),
extensions.list_rules(),
flavor_access.list_rules(),
flavor_extra_specs.list_rules(),
flavor_manage.list_rules(),
flavor_rxtx.list_rules(),
flavors.list_rules(),
floating_ip_pools.list_rules(),
floating_ips.list_rules(),
hide_server_addresses.list_rules(),
hosts.list_rules(),
hypervisors.list_rules(),
image_size.list_rules(),
instance_actions.list_rules(),
instance_usage_audit_log.list_rules(),
ips.list_rules(),
@ -144,7 +131,6 @@ def list_rules():
server_metadata.list_rules(),
server_password.list_rules(),
server_tags.list_rules(),
server_usage.list_rules(),
servers.list_rules(),
servers_migrations.list_rules(),
services.list_rules(),

View File

@ -1,51 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-config-drive'
config_drive_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Add 'config_drive' attribute in the server response",
[
{
'method': 'GET',
'path': '/servers/{id}'
},
{
'method': 'GET',
'path': '/servers/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-config-drive" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return config_drive_policies

View File

@ -1,51 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-availability-zone'
extended_availability_zone_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Add `OS-EXT-AZ:availability_zone` into the server response",
[
{
'method': 'GET',
'path': '/servers/{id}'
},
{
'method': 'GET',
'path': '/servers/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-extended-availability-zone"'
' policy which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return extended_availability_zone_policies

View File

@ -1,58 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-status'
extended_status_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Return extended status in the response of server.
This policy will control the visibility for a set of attributes:
- ``OS-EXT-STS:task_state``
- ``OS-EXT-STS:vm_state``
- ``OS-EXT-STS:power_state``
""",
[
{
'method': 'GET',
'path': '/servers/{id}'
},
{
'method': 'GET',
'path': '/servers/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-extended-status" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return extended_status_policies

View File

@ -1,52 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-volumes'
extended_volumes_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Return 'os-extended-volumes:volumes_attached' in the response of "
"server",
[
{
'method': 'GET',
'path': '/servers/{id}'
},
{
'method': 'GET',
'path': '/servers/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-extended-volumes" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return extended_volumes_policies

View File

@ -49,9 +49,7 @@ flavor_access_policies = [
base.RULE_ADMIN_OR_OWNER,
"""List flavor access information
Adds the os-flavor-access:is_public key into several flavor APIs.
It also allows access to the full list of tenants that have access
Allows access to the full list of tenants that have access
to a flavor via an os-flavor-access API.
""",
[
@ -59,36 +57,7 @@ to a flavor via an os-flavor-access API.
'method': 'GET',
'path': '/flavors/{flavor_id}/os-flavor-access'
},
{
'method': 'GET',
'path': '/flavors/detail'
},
{
'method': 'GET',
'path': '/flavors/{flavor_id}'
},
{
'method': 'POST',
'path': '/flavors'
},
{
'method': 'PUT',
'path': '/flavors/{flavor_id}'
},
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-flavor-access" policy '
'for POST, PUT, GET /flavors which was added for extensions is '
'not needed any more. NOTE: This policy is deprecated only for '
'POST /flavors, PUT /flavors, GET /flavors/{flavor_id} & '
'GET /flavors/detail. This policy for other API operations is '
'still valid and not deprecated'
),
deprecated_since='17.0.0'),
]),
]

View File

@ -1,60 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-rxtx'
flavor_rxtx_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Add the rxtx_factor key into some Flavor APIs",
[
{
'method': 'GET',
'path': '/flavors/detail'
},
{
'method': 'GET',
'path': '/flavors/{flavor_id}'
},
{
'method': 'POST',
'path': '/flavors'
},
{
'method': 'PUT',
'path': '/flavors/{flavor_id}'
},
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-flavor-rxtx" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return flavor_rxtx_policies

View File

@ -1,51 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:image-size'
image_size_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.""",
[
{
'method': 'GET',
'path': '/images/{id}'
},
{
'method': 'GET',
'path': '/images/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:image-size" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return image_size_policies

View File

@ -15,10 +15,7 @@
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-keypairs'
POLICY_ROOT = 'os_compute_api:os-keypairs:%s'
@ -63,28 +60,6 @@ keypairs_policies = [
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Return 'key_name' in the response of server.",
[
{
'path': '/servers/{id}',
'method': 'GET',
},
{
'path': '/servers/detail',
'method': 'GET'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-keypairs" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]

View File

@ -34,8 +34,7 @@ APIs are deprecated.
APIs which are related to server resource are not deprecated:
Lists Security Groups for a server. Add Security Group to a server
and remove security group from a server. Expand security_groups in
server representation""",
and remove security group from a server.""",
[
{
'method': 'GET',
@ -69,31 +68,8 @@ server representation""",
'method': 'POST',
'path': '/servers/{server_id}/action (removeSecurityGroup)'
},
{
'method': 'POST',
'path': '/servers'
},
{
'method': 'GET',
'path': '/servers/{server_id}'
},
{
'method': 'GET',
'path': '/servers/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-security-groups" policy '
'for POST, GET /servers which was added for extensions is not '
'needed any more. NOTE: This policy is deprecated only for '
'POST /servers, GET /servers/{server_id} & GET /servers/detail. '
'This policy for other API operations is still valid and not '
'deprecated'
),
deprecated_since='17.0.0'),
]

View File

@ -1,58 +0,0 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-server-usage'
server_usage_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Add 'OS-SRV-USG:launched_at' & 'OS-SRV-USG:terminated_at' attribute
in the server response.
This check is performed only after the check
'os_compute_api:servers:show' for GET /servers/{id} and
'os_compute_api:servers:detail' for GET /servers/detail passes""",
[
{
'method': 'GET',
'path': '/servers/{id}'
},
{
'method': 'GET',
'path': '/servers/detail'
}
],
deprecated_for_removal=True,
deprecated_reason=(
'Nova API extension concept has been removed in Pike. Those '
'extensions have their own policies enforcement. As there is '
'no extensions now, "os_compute_api:os-server-usage" policy '
'which was added for extensions is not needed any more'
),
deprecated_since='17.0.0'),
]
def list_rules():
return server_usage_policies

View File

@ -219,29 +219,3 @@ class ExtendedVolumesTestV23(ExtendedVolumesTestV21):
],
]
wsgi_api_version = '2.3'
class ExtendedVolumesEnforcementV21(test.NoDBTestCase):
def setUp(self):
super(ExtendedVolumesEnforcementV21, self).setUp()
self.controller = extended_volumes_v21.ExtendedVolumesController()
self.req = fakes.HTTPRequest.blank('')
@mock.patch.object(extended_volumes_v21.ExtendedVolumesController,
'_extend_server')
def test_extend_show_policy_failed(self, mock_extend):
rule_name = 'os_compute_api:os-extended-volumes'
self.policy.set_rules({rule_name: "project:non_fake"})
# Pass ResponseObj as None, the code shouldn't touch the None.
self.controller.show(self.req, None, fakes.FAKE_UUID)
self.assertFalse(mock_extend.called)
@mock.patch.object(extended_volumes_v21.ExtendedVolumesController,
'_extend_server')
def test_extend_detail_policy_failed(self, mock_extend):
rule_name = 'os_compute_api:os-extended-volumes'
self.policy.set_rules({rule_name: "project:non_fake"})
# Pass ResponseObj as None, the code shouldn't touch the None.
self.controller.detail(self.req, None)
self.assertFalse(mock_extend.called)

View File

@ -779,54 +779,6 @@ class FlavorsTestV2_61(FlavorsTestV2_55):
expect_extra_specs = True
class FlavorsPolicyEnforcementV21(test.NoDBTestCase):
def setUp(self):
super(FlavorsPolicyEnforcementV21, self).setUp()
self.flavor_controller = flavors_v21.FlavorsController()
fakes.stub_out_flavor_get_by_flavor_id(self)
fakes.stub_out_flavor_get_all(self)
self.req = fakes.HTTPRequest.blank('')
def test_show_flavor_access_policy_failed(self):
rule_name = "os_compute_api:os-flavor-access"
self.policy.set_rules({rule_name: "project:non_fake"})
resp = self.flavor_controller.show(self.req, '1')
self.assertNotIn('os-flavor-access:is_public', resp['flavor'])
def test_detail_flavor_access_policy_failed(self):
rule_name = "os_compute_api:os-flavor-access"
self.policy.set_rules({rule_name: "project:non_fake"})
resp = self.flavor_controller.detail(self.req)
self.assertNotIn('os-flavor-access:is_public', resp['flavors'][0])
def test_show_flavor_rxtx_policy_failed(self):
rule_name = "os_compute_api:os-flavor-rxtx"
self.policy.set_rules({rule_name: "project:non_fake"})
resp = self.flavor_controller.show(self.req, '1')
self.assertNotIn('rxtx_factor', resp['flavor'])
def test_detail_flavor_rxtx_policy_failed(self):
rule_name = "os_compute_api:os-flavor-rxtx"
self.policy.set_rules({rule_name: "project:non_fake"})
resp = self.flavor_controller.detail(self.req)
self.assertNotIn('rxtx_factor', resp['flavors'][0])
def test_create_flavor_extended_policy_failed(self):
rules = {"os_compute_api:os-flavor-rxtx": "project:non_fake",
"os_compute_api:os-flavor-access": "project:non_fake"}
self.policy.set_rules(rules)
resp = self.flavor_controller.detail(self.req)
self.assertNotIn('rxtx_factor', resp['flavors'][0])
def test_update_flavor_extended_policy_failed(self):
rules = {"os_compute_api:os-flavor-rxtx": "project:non_fake",
"os_compute_api:os-flavor-access": "project:non_fake"}
self.policy.set_rules(rules)
resp = self.flavor_controller.detail(self.req)
self.assertNotIn('rxtx_factor', resp['flavors'][0])
class DisabledFlavorsWithRealDBTestV21(test.TestCase):
"""Tests that disabled flavors should not be shown nor listed."""
Controller = flavors_v21.FlavorsController

View File

@ -21,7 +21,6 @@ import webob
from nova.api.openstack.compute import security_groups as \
secgroups_v21
from nova.api.openstack import wsgi
from nova import compute
from nova.compute import power_state
from nova import context as context_maker
@ -1537,56 +1536,6 @@ class SecurityGroupsOutputTestV21(test.TestCase):
self.assertEqual(res.status_int, 404)
class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
def setUp(self):
super(SecurityGroupsOutputPolicyEnforcementV21, self).setUp()
self.controller = secgroups_v21.SecurityGroupsOutputController()
self.req = fakes.HTTPRequest.blank('')
self.rule_name = "os_compute_api:os-security-groups"
self.rule = {self.rule_name: "project:non_fake"}
self.policy.set_rules(self.rule)
self.fake_res = wsgi.ResponseObject({
'server': {'id': '0'},
'servers': [{'id': '0'}, {'id': '2'}]})
@mock.patch('nova.policy.authorize')
def test_show_policy_softauth_is_called(self, mock_authorize):
mock_authorize.return_value = False
self.controller.show(self.req, self.fake_res, FAKE_UUID1)
self.assertTrue(mock_authorize.called)
@mock.patch.object(nova.network.security_group.openstack_driver,
"is_neutron_security_groups")
def test_show_policy_failed(self, is_neutron_security_groups):
self.controller.show(self.req, self.fake_res, FAKE_UUID1)
self.assertFalse(is_neutron_security_groups.called)
@mock.patch('nova.policy.authorize')
def test_create_policy_softauth_is_called(self, mock_authorize):
mock_authorize.return_value = False
self.controller.show(self.req, self.fake_res, {})
self.assertTrue(mock_authorize.called)
@mock.patch.object(nova.network.security_group.openstack_driver,
"is_neutron_security_groups")
def test_create_policy_failed(self, is_neutron_security_groups):
self.controller.create(self.req, self.fake_res, {})
self.assertFalse(is_neutron_security_groups.called)
@mock.patch('nova.policy.authorize')
def test_detail_policy_softauth_is_called(self, mock_authorize):
mock_authorize.return_value = False
self.controller.detail(self.req, self.fake_res)
self.assertTrue(mock_authorize.called)
@mock.patch.object(nova.network.security_group.openstack_driver,
"is_neutron_security_groups")
def test_detail_policy_failed(self, is_neutron_security_groups):
self.controller.detail(self.req, self.fake_res)
self.assertFalse(is_neutron_security_groups.called)
class PolicyEnforcementV21(test.NoDBTestCase):
def setUp(self):

View File

@ -368,7 +368,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-suspend-server:resume",
"os_compute_api:os-tenant-networks",
"os_compute_api:extensions",
"os_compute_api:os-config-drive",
"os_compute_api:servers:confirm_resize",
"os_compute_api:servers:create",
"os_compute_api:servers:create:attach_network",
@ -398,26 +397,19 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-console-output",
"os_compute_api:os-remote-consoles",
"os_compute_api:os-deferred-delete",
"os_compute_api:os-extended-status",
"os_compute_api:os-extended-availability-zone",
"os_compute_api:os-extended-volumes",
"os_compute_api:os-flavor-access",
"os_compute_api:os-flavor-rxtx",
"os_compute_api:flavors",
"os_compute_api:os-flavor-extra-specs:index",
"os_compute_api:os-flavor-extra-specs:show",
"os_compute_api:os-floating-ip-pools",
"os_compute_api:os-floating-ips",
"os_compute_api:image-size",
"os_compute_api:os-instance-actions",
"os_compute_api:os-keypairs",
"os_compute_api:limits",
"os_compute_api:os-multinic",
"os_compute_api:os-networks:view",
"os_compute_api:os-rescue",
"os_compute_api:os-security-groups",
"os_compute_api:os-server-password",
"os_compute_api:os-server-usage",
"os_compute_api:os-server-groups",
"os_compute_api:os-server-tags:delete",
"os_compute_api:os-server-tags:delete_all",

View File

@ -0,0 +1,26 @@
---
upgrade:
- |
The following deprecated Policy Rules have been removed:
- Show & List server details
- os_compute_api:os-config-drive
- os_compute_api:os-extended-availability-zone
- os_compute_api:os-extended-status
- os_compute_api:os-extended-volumes
- os_compute_api:os-keypairs
- os_compute_api:os-server-usage
- os_compute_api:os-security-groups (only from /servers APIs)
- Create, Update, Show & List flavor details
- os_compute_api:os-flavor-rxtx
- os_compute_api:os-flavor-access (only from /flavors APIs)
- Show & List image details
- os_compute_api:image-size
These were deprecated in the 17.0.0 release as nova removed the concept
of API extensions.