summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nova/api/openstack/compute/config_drive.py9
-rw-r--r--nova/api/openstack/compute/extended_availability_zone.py17
-rw-r--r--nova/api/openstack/compute/extended_status.py27
-rw-r--r--nova/api/openstack/compute/extended_volumes.py25
-rw-r--r--nova/api/openstack/compute/image_size.py27
-rw-r--r--nova/api/openstack/compute/keypairs.py8
-rw-r--r--nova/api/openstack/compute/security_groups.py3
-rw-r--r--nova/api/openstack/compute/server_usage.py27
-rw-r--r--nova/api/openstack/compute/views/flavors.py48
-rw-r--r--nova/policies/__init__.py14
-rw-r--r--nova/policies/config_drive.py51
-rw-r--r--nova/policies/extended_availability_zone.py51
-rw-r--r--nova/policies/extended_status.py58
-rw-r--r--nova/policies/extended_volumes.py52
-rw-r--r--nova/policies/flavor_access.py35
-rw-r--r--nova/policies/flavor_rxtx.py60
-rw-r--r--nova/policies/image_size.py51
-rw-r--r--nova/policies/keypairs.py25
-rw-r--r--nova/policies/security_groups.py26
-rw-r--r--nova/policies/server_usage.py58
-rw-r--r--nova/tests/unit/api/openstack/compute/test_extended_volumes.py26
-rw-r--r--nova/tests/unit/api/openstack/compute/test_flavors.py48
-rw-r--r--nova/tests/unit/api/openstack/compute/test_security_groups.py51
-rw-r--r--nova/tests/unit/test_policy.py8
-rw-r--r--releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml26
25 files changed, 90 insertions, 741 deletions
diff --git a/nova/api/openstack/compute/config_drive.py b/nova/api/openstack/compute/config_drive.py
index 6987499..fe1b859 100644
--- a/nova/api/openstack/compute/config_drive.py
+++ b/nova/api/openstack/compute/config_drive.py
@@ -16,7 +16,6 @@
16"""Config Drive extension.""" 16"""Config Drive extension."""
17 17
18from nova.api.openstack import wsgi 18from nova.api.openstack import wsgi
19from nova.policies import config_drive as cd_policies
20 19
21ATTRIBUTE_NAME = "config_drive" 20ATTRIBUTE_NAME = "config_drive"
22 21
@@ -37,14 +36,10 @@ class ConfigDriveController(wsgi.Controller):
37 36
38 @wsgi.extends 37 @wsgi.extends
39 def show(self, req, resp_obj, id): 38 def show(self, req, resp_obj, id):
40 context = req.environ['nova.context'] 39 self._show(req, resp_obj)
41 if context.can(cd_policies.BASE_POLICY_NAME, fatal=False):
42 self._show(req, resp_obj)
43 40
44 @wsgi.extends 41 @wsgi.extends
45 def detail(self, req, resp_obj): 42 def detail(self, req, resp_obj):
46 context = req.environ['nova.context'] 43 if 'servers' in resp_obj.obj:
47 if 'servers' in resp_obj.obj and context.can(
48 cd_policies.BASE_POLICY_NAME, fatal=False):
49 servers = resp_obj.obj['servers'] 44 servers = resp_obj.obj['servers']
50 self._add_config_drive(req, servers) 45 self._add_config_drive(req, servers)
diff --git a/nova/api/openstack/compute/extended_availability_zone.py b/nova/api/openstack/compute/extended_availability_zone.py
index ac562c5..0d63169 100644
--- a/nova/api/openstack/compute/extended_availability_zone.py
+++ b/nova/api/openstack/compute/extended_availability_zone.py
@@ -17,7 +17,6 @@
17 17
18from nova.api.openstack import wsgi 18from nova.api.openstack import wsgi
19from nova import availability_zones as avail_zone 19from nova import availability_zones as avail_zone
20from nova.policies import extended_availability_zone as eaz_policies
21 20
22PREFIX = "OS-EXT-AZ" 21PREFIX = "OS-EXT-AZ"
23 22
@@ -34,16 +33,14 @@ class ExtendedAZController(wsgi.Controller):
34 @wsgi.extends 33 @wsgi.extends
35 def show(self, req, resp_obj, id): 34 def show(self, req, resp_obj, id):
36 context = req.environ['nova.context'] 35 context = req.environ['nova.context']
37 if context.can(eaz_policies.BASE_POLICY_NAME, fatal=False): 36 server = resp_obj.obj['server']
38 server = resp_obj.obj['server'] 37 db_instance = req.get_db_instance(server['id'])
39 db_instance = req.get_db_instance(server['id']) 38 self._extend_server(context, server, db_instance)
40 self._extend_server(context, server, db_instance)
41 39
42 @wsgi.extends 40 @wsgi.extends
43 def detail(self, req, resp_obj): 41 def detail(self, req, resp_obj):
44 context = req.environ['nova.context'] 42 context = req.environ['nova.context']
45 if context.can(eaz_policies.BASE_POLICY_NAME, fatal=False): 43 servers = list(resp_obj.obj['servers'])
46 servers = list(resp_obj.obj['servers']) 44 for server in servers:
47 for server in servers: 45 db_instance = req.get_db_instance(server['id'])
48 db_instance = req.get_db_instance(server['id']) 46 self._extend_server(context, server, db_instance)
49 self._extend_server(context, server, db_instance)
diff --git a/nova/api/openstack/compute/extended_status.py b/nova/api/openstack/compute/extended_status.py
index e1bb52b..5f0faa0 100644
--- a/nova/api/openstack/compute/extended_status.py
+++ b/nova/api/openstack/compute/extended_status.py
@@ -15,7 +15,6 @@
15"""The Extended Status Admin API extension.""" 15"""The Extended Status Admin API extension."""
16 16
17from nova.api.openstack import wsgi 17from nova.api.openstack import wsgi
18from nova.policies import extended_status as es_policies
19 18
20 19
21class ExtendedStatusController(wsgi.Controller): 20class ExtendedStatusController(wsgi.Controller):
@@ -32,21 +31,17 @@ class ExtendedStatusController(wsgi.Controller):
32 31
33 @wsgi.extends 32 @wsgi.extends
34 def show(self, req, resp_obj, id): 33 def show(self, req, resp_obj, id):
35 context = req.environ['nova.context'] 34 server = resp_obj.obj['server']
36 if context.can(es_policies.BASE_POLICY_NAME, fatal=False): 35 db_instance = req.get_db_instance(server['id'])
37 server = resp_obj.obj['server'] 36 # server['id'] is guaranteed to be in the cache due to
38 db_instance = req.get_db_instance(server['id']) 37 # the core API adding it in its 'show' method.
39 # server['id'] is guaranteed to be in the cache due to 38 self._extend_server(server, db_instance)
40 # the core API adding it in its 'show' method.
41 self._extend_server(server, db_instance)
42 39
43 @wsgi.extends 40 @wsgi.extends
44 def detail(self, req, resp_obj): 41 def detail(self, req, resp_obj):
45 context = req.environ['nova.context'] 42 servers = list(resp_obj.obj['servers'])
46 if context.can(es_policies.BASE_POLICY_NAME, fatal=False): 43 for server in servers:
47 servers = list(resp_obj.obj['servers']) 44 db_instance = req.get_db_instance(server['id'])
48 for server in servers: 45 # server['id'] is guaranteed to be in the cache due to
49 db_instance = req.get_db_instance(server['id']) 46 # the core API adding it in its 'detail' method.
50 # server['id'] is guaranteed to be in the cache due to 47 self._extend_server(server, db_instance)
51 # the core API adding it in its 'detail' method.
52 self._extend_server(server, db_instance)
diff --git a/nova/api/openstack/compute/extended_volumes.py b/nova/api/openstack/compute/extended_volumes.py
index a88a458..e203f13 100644
--- a/nova/api/openstack/compute/extended_volumes.py
+++ b/nova/api/openstack/compute/extended_volumes.py
@@ -19,13 +19,12 @@ from nova.api.openstack import api_version_request
19from nova.api.openstack import wsgi 19from nova.api.openstack import wsgi
20from nova import context 20from nova import context
21from nova import objects 21from nova import objects
22from nova.policies import extended_volumes as ev_policies
23 22
24LOG = logging.getLogger(__name__) 23LOG = logging.getLogger(__name__)
25 24
26 25
27class ExtendedVolumesController(wsgi.Controller): 26class ExtendedVolumesController(wsgi.Controller):
28 def _extend_server(self, context, server, req, bdms): 27 def _extend_server(self, server, req, bdms):
29 volumes_attached = [] 28 volumes_attached = []
30 for bdm in bdms: 29 for bdm in bdms:
31 if bdm.get('volume_id'): 30 if bdm.get('volume_id'):
@@ -43,12 +42,11 @@ class ExtendedVolumesController(wsgi.Controller):
43 @wsgi.extends 42 @wsgi.extends
44 def show(self, req, resp_obj, id): 43 def show(self, req, resp_obj, id):
45 context = req.environ['nova.context'] 44 context = req.environ['nova.context']
46 if context.can(ev_policies.BASE_POLICY_NAME, fatal=False): 45 server = resp_obj.obj['server']
47 server = resp_obj.obj['server'] 46 bdms = objects.BlockDeviceMappingList.bdms_by_instance_uuid(
48 bdms = objects.BlockDeviceMappingList.bdms_by_instance_uuid( 47 context, [server['id']])
49 context, [server['id']]) 48 instance_bdms = self._get_instance_bdms(bdms, server)
50 instance_bdms = self._get_instance_bdms(bdms, server) 49 self._extend_server(server, req, instance_bdms)
51 self._extend_server(context, server, req, instance_bdms)
52 50
53 @staticmethod 51 @staticmethod
54 def _get_instance_bdms_in_multiple_cells(ctxt, servers): 52 def _get_instance_bdms_in_multiple_cells(ctxt, servers):
@@ -82,12 +80,11 @@ class ExtendedVolumesController(wsgi.Controller):
82 @wsgi.extends 80 @wsgi.extends
83 def detail(self, req, resp_obj): 81 def detail(self, req, resp_obj):
84 context = req.environ['nova.context'] 82 context = req.environ['nova.context']
85 if context.can(ev_policies.BASE_POLICY_NAME, fatal=False): 83 servers = list(resp_obj.obj['servers'])
86 servers = list(resp_obj.obj['servers']) 84 bdms = self._get_instance_bdms_in_multiple_cells(context, servers)
87 bdms = self._get_instance_bdms_in_multiple_cells(context, servers) 85 for server in servers:
88 for server in servers: 86 instance_bdms = self._get_instance_bdms(bdms, server)
89 instance_bdms = self._get_instance_bdms(bdms, server) 87 self._extend_server(server, req, instance_bdms)
90 self._extend_server(context, server, req, instance_bdms)
91 88
92 def _get_instance_bdms(self, bdms, server): 89 def _get_instance_bdms(self, bdms, server):
93 # server['id'] is guaranteed to be in the cache due to 90 # server['id'] is guaranteed to be in the cache due to
diff --git a/nova/api/openstack/compute/image_size.py b/nova/api/openstack/compute/image_size.py
index 8ed4ae6..c6569c6 100644
--- a/nova/api/openstack/compute/image_size.py
+++ b/nova/api/openstack/compute/image_size.py
@@ -14,7 +14,6 @@
14# under the License. 14# under the License.
15 15
16from nova.api.openstack import wsgi 16from nova.api.openstack import wsgi
17from nova.policies import image_size as is_policies
18 17
19 18
20class ImageSizeController(wsgi.Controller): 19class ImageSizeController(wsgi.Controller):
@@ -28,21 +27,17 @@ class ImageSizeController(wsgi.Controller):
28 27
29 @wsgi.extends 28 @wsgi.extends
30 def show(self, req, resp_obj, id): 29 def show(self, req, resp_obj, id):
31 context = req.environ["nova.context"] 30 image_resp = resp_obj.obj['image']
32 if context.can(is_policies.BASE_POLICY_NAME, fatal=False): 31 # image guaranteed to be in the cache due to the core API adding
33 image_resp = resp_obj.obj['image'] 32 # it in its 'show' method
34 # image guaranteed to be in the cache due to the core API adding 33 image_cached = req.get_db_item('images', image_resp['id'])
35 # it in its 'show' method 34 self._extend_image(image_resp, image_cached)
36 image_cached = req.get_db_item('images', image_resp['id'])
37 self._extend_image(image_resp, image_cached)
38 35
39 @wsgi.extends 36 @wsgi.extends
40 def detail(self, req, resp_obj): 37 def detail(self, req, resp_obj):
41 context = req.environ['nova.context'] 38 images_resp = list(resp_obj.obj['images'])
42 if context.can(is_policies.BASE_POLICY_NAME, fatal=False): 39 # images guaranteed to be in the cache due to the core API adding
43 images_resp = list(resp_obj.obj['images']) 40 # it in its 'detail' method
44 # images guaranteed to be in the cache due to the core API adding 41 for image in images_resp:
45 # it in its 'detail' method 42 image_cached = req.get_db_item('images', image['id'])
46 for image in images_resp: 43 self._extend_image(image, image_cached)
47 image_cached = req.get_db_item('images', image['id'])
48 self._extend_image(image, image_cached)
diff --git a/nova/api/openstack/compute/keypairs.py b/nova/api/openstack/compute/keypairs.py
index b3c7bbb..673c65b 100644
--- a/nova/api/openstack/compute/keypairs.py
+++ b/nova/api/openstack/compute/keypairs.py
@@ -306,14 +306,10 @@ class Controller(wsgi.Controller):
306 306
307 @wsgi.extends 307 @wsgi.extends
308 def show(self, req, resp_obj, id): 308 def show(self, req, resp_obj, id):
309 context = req.environ['nova.context'] 309 self._show(req, resp_obj)
310 if context.can(kp_policies.BASE_POLICY_NAME, fatal=False):
311 self._show(req, resp_obj)
312 310
313 @wsgi.extends 311 @wsgi.extends
314 def detail(self, req, resp_obj): 312 def detail(self, req, resp_obj):
315 context = req.environ['nova.context'] 313 if 'servers' in resp_obj.obj:
316 if 'servers' in resp_obj.obj and context.can(
317 kp_policies.BASE_POLICY_NAME, fatal=False):
318 servers = resp_obj.obj['servers'] 314 servers = resp_obj.obj['servers']
319 self._add_key_name(req, servers) 315 self._add_key_name(req, servers)
diff --git a/nova/api/openstack/compute/security_groups.py b/nova/api/openstack/compute/security_groups.py
index 9801f46..12c3588 100644
--- a/nova/api/openstack/compute/security_groups.py
+++ b/nova/api/openstack/compute/security_groups.py
@@ -490,9 +490,6 @@ class SecurityGroupsOutputController(wsgi.Controller):
490 return 490 return
491 key = "security_groups" 491 key = "security_groups"
492 context = req.environ['nova.context'] 492 context = req.environ['nova.context']
493 if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False):
494 return
495
496 if not openstack_driver.is_neutron_security_groups(): 493 if not openstack_driver.is_neutron_security_groups():
497 for server in servers: 494 for server in servers:
498 instance = req.get_db_instance(server['id']) 495 instance = req.get_db_instance(server['id'])
diff --git a/nova/api/openstack/compute/server_usage.py b/nova/api/openstack/compute/server_usage.py
index 5448f8b..d97591a 100644
--- a/nova/api/openstack/compute/server_usage.py
+++ b/nova/api/openstack/compute/server_usage.py
@@ -13,7 +13,6 @@
13# under the License. 13# under the License.
14 14
15from nova.api.openstack import wsgi 15from nova.api.openstack import wsgi
16from nova.policies import server_usage as su_policies
17 16
18 17
19resp_topic = "OS-SRV-USG" 18resp_topic = "OS-SRV-USG"
@@ -33,21 +32,17 @@ class ServerUsageController(wsgi.Controller):
33 32
34 @wsgi.extends 33 @wsgi.extends
35 def show(self, req, resp_obj, id): 34 def show(self, req, resp_obj, id):
36 context = req.environ['nova.context'] 35 server = resp_obj.obj['server']
37 if context.can(su_policies.BASE_POLICY_NAME, fatal=False): 36 db_instance = req.get_db_instance(server['id'])
38 server = resp_obj.obj['server'] 37 # server['id'] is guaranteed to be in the cache due to
39 db_instance = req.get_db_instance(server['id']) 38 # the core API adding it in its 'show' method.
40 # server['id'] is guaranteed to be in the cache due to 39 self._extend_server(server, db_instance)
41 # the core API adding it in its 'show' method.
42 self._extend_server(server, db_instance)
43 40
44 @wsgi.extends 41 @wsgi.extends
45 def detail(self, req, resp_obj): 42 def detail(self, req, resp_obj):
46 context = req.environ['nova.context'] 43 servers = list(resp_obj.obj['servers'])
47 if context.can(su_policies.BASE_POLICY_NAME, fatal=False): 44 for server in servers:
48 servers = list(resp_obj.obj['servers']) 45 db_instance = req.get_db_instance(server['id'])
49 for server in servers: 46 # server['id'] is guaranteed to be in the cache due to
50 db_instance = req.get_db_instance(server['id']) 47 # the core API adding it in its 'detail' method.
51 # server['id'] is guaranteed to be in the cache due to 48 self._extend_server(server, db_instance)
52 # the core API adding it in its 'detail' method.
53 self._extend_server(server, db_instance)
diff --git a/nova/api/openstack/compute/views/flavors.py b/nova/api/openstack/compute/views/flavors.py
index a7b2a04..2c7e925 100644
--- a/nova/api/openstack/compute/views/flavors.py
+++ b/nova/api/openstack/compute/views/flavors.py
@@ -15,8 +15,6 @@
15 15
16from nova.api.openstack import api_version_request 16from nova.api.openstack import api_version_request
17from nova.api.openstack import common 17from nova.api.openstack import common
18from nova.policies import flavor_access as fa_policies
19from nova.policies import flavor_rxtx as fr_policies
20 18
21FLAVOR_DESCRIPTION_MICROVERSION = '2.55' 19FLAVOR_DESCRIPTION_MICROVERSION = '2.55'
22FLAVOR_EXTRA_SPECS_MICROVERSION = '2.61' 20FLAVOR_EXTRA_SPECS_MICROVERSION = '2.61'
@@ -27,12 +25,10 @@ class ViewBuilder(common.ViewBuilder):
27 _collection_name = "flavors" 25 _collection_name = "flavors"
28 26
29 def basic(self, request, flavor, include_description=False, 27 def basic(self, request, flavor, include_description=False,
30 update_is_public=None, update_rxtx_factor=None,
31 include_extra_specs=False): 28 include_extra_specs=False):
32 # include_extra_specs & update_is_public & update_rxtx_factor are 29 # include_extra_specs is placeholder param which is not used in
33 # placeholder param which are not used in this method as basic() method 30 # this method as basic() method is used by index() (GET /flavors)
34 # is used by index() (GET /flavors) which does not return those keys in 31 # which does not return those keys in response.
35 # response.
36 flavor_dict = { 32 flavor_dict = {
37 "flavor": { 33 "flavor": {
38 "id": flavor["flavorid"], 34 "id": flavor["flavorid"],
@@ -49,7 +45,6 @@ class ViewBuilder(common.ViewBuilder):
49 return flavor_dict 45 return flavor_dict
50 46
51 def show(self, request, flavor, include_description=False, 47 def show(self, request, flavor, include_description=False,
52 update_is_public=None, update_rxtx_factor=None,
53 include_extra_specs=False): 48 include_extra_specs=False):
54 flavor_dict = { 49 flavor_dict = {
55 "flavor": { 50 "flavor": {
@@ -61,6 +56,8 @@ class ViewBuilder(common.ViewBuilder):
61 "OS-FLV-EXT-DATA:ephemeral": flavor["ephemeral_gb"], 56 "OS-FLV-EXT-DATA:ephemeral": flavor["ephemeral_gb"],
62 "OS-FLV-DISABLED:disabled": flavor["disabled"], 57 "OS-FLV-DISABLED:disabled": flavor["disabled"],
63 "vcpus": flavor["vcpus"], 58 "vcpus": flavor["vcpus"],
59 "os-flavor-access:is_public": flavor['is_public'],
60 "rxtx_factor": flavor['rxtx_factor'] or "",
64 "links": self._get_links(request, 61 "links": self._get_links(request,
65 flavor["flavorid"], 62 flavor["flavorid"],
66 self._collection_name), 63 self._collection_name),
@@ -73,26 +70,6 @@ class ViewBuilder(common.ViewBuilder):
73 if include_extra_specs: 70 if include_extra_specs:
74 flavor_dict['flavor']['extra_specs'] = flavor.extra_specs 71 flavor_dict['flavor']['extra_specs'] = flavor.extra_specs
75 72
76 # TODO(gmann): 'update_is_public' & 'update_rxtx_factor' are policies
77 # checks. Once os-flavor-access & os-flavor-rxtx policies are
78 # removed, 'os-flavor-access:is_public' and 'rxtx_factor' need to be
79 # added in response without any check.
80
81 # Evaluate the policies when using show method directly.
82 context = request.environ['nova.context']
83 if update_is_public is None:
84 update_is_public = context.can(fa_policies.BASE_POLICY_NAME,
85 fatal=False)
86 if update_rxtx_factor is None:
87 update_rxtx_factor = context.can(fr_policies.BASE_POLICY_NAME,
88 fatal=False)
89 if update_is_public:
90 flavor_dict['flavor'].update({
91 "os-flavor-access:is_public": flavor['is_public']})
92 if update_rxtx_factor:
93 flavor_dict['flavor'].update(
94 {"rxtx_factor": flavor['rxtx_factor'] or ""})
95
96 return flavor_dict 73 return flavor_dict
97 74
98 def index(self, request, flavors): 75 def index(self, request, flavors):
@@ -108,20 +85,12 @@ class ViewBuilder(common.ViewBuilder):
108 coll_name = self._collection_name + '/detail' 85 coll_name = self._collection_name + '/detail'
109 include_description = api_version_request.is_supported( 86 include_description = api_version_request.is_supported(
110 request, FLAVOR_DESCRIPTION_MICROVERSION) 87 request, FLAVOR_DESCRIPTION_MICROVERSION)
111 context = request.environ['nova.context']
112 update_is_public = context.can(fa_policies.BASE_POLICY_NAME,
113 fatal=False)
114 update_rxtx_factor = context.can(fr_policies.BASE_POLICY_NAME,
115 fatal=False)
116 return self._list_view(self.show, request, flavors, coll_name, 88 return self._list_view(self.show, request, flavors, coll_name,
117 include_description=include_description, 89 include_description=include_description,
118 update_is_public=update_is_public,
119 update_rxtx_factor=update_rxtx_factor,
120 include_extra_specs=include_extra_specs) 90 include_extra_specs=include_extra_specs)
121 91
122 def _list_view(self, func, request, flavors, coll_name, 92 def _list_view(self, func, request, flavors, coll_name,
123 include_description=False, update_is_public=None, 93 include_description=False, include_extra_specs=False):
124 update_rxtx_factor=None, include_extra_specs=False):
125 """Provide a view for a list of flavors. 94 """Provide a view for a list of flavors.
126 95
127 :param func: Function used to format the flavor data 96 :param func: Function used to format the flavor data
@@ -131,17 +100,12 @@ class ViewBuilder(common.ViewBuilder):
131 for a pagination query 100 for a pagination query
132 :param include_description: If the flavor.description should be 101 :param include_description: If the flavor.description should be
133 included in the response dict. 102 included in the response dict.
134 :param update_is_public: If the flavor.is_public field should be
135 included in the response dict.
136 :param update_rxtx_factor: If the flavor.rxtx_factor field should be
137 included in the response dict.
138 :param include_extra_specs: If the flavor.extra_specs should be 103 :param include_extra_specs: If the flavor.extra_specs should be
139 included in the response dict. 104 included in the response dict.
140 105
141 :returns: Flavor reply data in dictionary format 106 :returns: Flavor reply data in dictionary format
142 """ 107 """
143 flavor_list = [func(request, flavor, include_description, 108 flavor_list = [func(request, flavor, include_description,
144 update_is_public, update_rxtx_factor,
145 include_extra_specs)["flavor"] 109 include_extra_specs)["flavor"]
146 for flavor in flavors] 110 for flavor in flavors]
147 flavors_links = self._get_collection_links(request, 111 flavors_links = self._get_collection_links(request,
diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py
index bd7b04d..5f45824 100644
--- a/nova/policies/__init__.py
+++ b/nova/policies/__init__.py
@@ -24,29 +24,23 @@ from nova.policies import baremetal_nodes
24from nova.policies import base 24from nova.policies import base
25from nova.policies import cells 25from nova.policies import cells
26from nova.policies import cells_scheduler 26from nova.policies import cells_scheduler
27from nova.policies import config_drive
28from nova.policies import console_auth_tokens 27from nova.policies import console_auth_tokens
29from nova.policies import console_output 28from nova.policies import console_output
30from nova.policies import consoles 29from nova.policies import consoles
31from nova.policies import create_backup 30from nova.policies import create_backup
32from nova.policies import deferred_delete 31from nova.policies import deferred_delete
33from nova.policies import evacuate 32from nova.policies import evacuate
34from nova.policies import extended_availability_zone
35from nova.policies import extended_server_attributes 33from nova.policies import extended_server_attributes
36from nova.policies import extended_status
37from nova.policies import extended_volumes
38from nova.policies import extensions 34from nova.policies import extensions
39from nova.policies import flavor_access 35from nova.policies import flavor_access
40from nova.policies import flavor_extra_specs 36from nova.policies import flavor_extra_specs
41from nova.policies import flavor_manage 37from nova.policies import flavor_manage
42from nova.policies import flavor_rxtx
43from nova.policies import flavors 38from nova.policies import flavors
44from nova.policies import floating_ip_pools 39from nova.policies import floating_ip_pools
45from nova.policies import floating_ips 40from nova.policies import floating_ips
46from nova.policies import hide_server_addresses 41from nova.policies import hide_server_addresses
47from nova.policies import hosts 42from nova.policies import hosts
48from nova.policies import hypervisors 43from nova.policies import hypervisors
49from nova.policies import image_size
50from nova.policies import instance_actions 44from nova.policies import instance_actions
51from nova.policies import instance_usage_audit_log 45from nova.policies import instance_usage_audit_log
52from nova.policies import ips 46from nova.policies import ips
@@ -71,7 +65,6 @@ from nova.policies import server_groups
71from nova.policies import server_metadata 65from nova.policies import server_metadata
72from nova.policies import server_password 66from nova.policies import server_password
73from nova.policies import server_tags 67from nova.policies import server_tags
74from nova.policies import server_usage
75from nova.policies import servers 68from nova.policies import servers
76from nova.policies import servers_migrations 69from nova.policies import servers_migrations
77from nova.policies import services 70from nova.policies import services
@@ -97,29 +90,23 @@ def list_rules():
97 baremetal_nodes.list_rules(), 90 baremetal_nodes.list_rules(),
98 cells.list_rules(), 91 cells.list_rules(),
99 cells_scheduler.list_rules(), 92 cells_scheduler.list_rules(),
100 config_drive.list_rules(),
101 console_auth_tokens.list_rules(), 93 console_auth_tokens.list_rules(),
102 console_output.list_rules(), 94 console_output.list_rules(),
103 consoles.list_rules(), 95 consoles.list_rules(),
104 create_backup.list_rules(), 96 create_backup.list_rules(),
105 deferred_delete.list_rules(), 97 deferred_delete.list_rules(),
106 evacuate.list_rules(), 98 evacuate.list_rules(),
107 extended_availability_zone.list_rules(),
108 extended_server_attributes.list_rules(), 99 extended_server_attributes.list_rules(),
109 extended_status.list_rules(),
110 extended_volumes.list_rules(),
111 extensions.list_rules(), 100 extensions.list_rules(),
112 flavor_access.list_rules(), 101 flavor_access.list_rules(),
113 flavor_extra_specs.list_rules(), 102 flavor_extra_specs.list_rules(),
114 flavor_manage.list_rules(), 103 flavor_manage.list_rules(),
115 flavor_rxtx.list_rules(),
116 flavors.list_rules(), 104 flavors.list_rules(),
117 floating_ip_pools.list_rules(), 105 floating_ip_pools.list_rules(),
118 floating_ips.list_rules(), 106 floating_ips.list_rules(),
119 hide_server_addresses.list_rules(), 107 hide_server_addresses.list_rules(),
120 hosts.list_rules(), 108 hosts.list_rules(),
121 hypervisors.list_rules(), 109 hypervisors.list_rules(),
122 image_size.list_rules(),
123 instance_actions.list_rules(), 110 instance_actions.list_rules(),
124 instance_usage_audit_log.list_rules(), 111 instance_usage_audit_log.list_rules(),
125 ips.list_rules(), 112 ips.list_rules(),
@@ -144,7 +131,6 @@ def list_rules():
144 server_metadata.list_rules(), 131 server_metadata.list_rules(),
145 server_password.list_rules(), 132 server_password.list_rules(),
146 server_tags.list_rules(), 133 server_tags.list_rules(),
147 server_usage.list_rules(),
148 servers.list_rules(), 134 servers.list_rules(),
149 servers_migrations.list_rules(), 135 servers_migrations.list_rules(),
150 services.list_rules(), 136 services.list_rules(),
diff --git a/nova/policies/config_drive.py b/nova/policies/config_drive.py
deleted file mode 100644
index 6bce5df..0000000
--- a/nova/policies/config_drive.py
+++ /dev/null
@@ -1,51 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from nova.policies import base
19
20
21BASE_POLICY_NAME = 'os_compute_api:os-config-drive'
22
23
24config_drive_policies = [
25 policy.DocumentedRuleDefault(
26 BASE_POLICY_NAME,
27 base.RULE_ADMIN_OR_OWNER,
28 "Add 'config_drive' attribute in the server response",
29 [
30 {
31 'method': 'GET',
32 'path': '/servers/{id}'
33 },
34 {
35 'method': 'GET',
36 'path': '/servers/detail'
37 }
38 ],
39 deprecated_for_removal=True,
40 deprecated_reason=(
41 'Nova API extension concept has been removed in Pike. Those '
42 'extensions have their own policies enforcement. As there is '
43 'no extensions now, "os_compute_api:os-config-drive" policy '
44 'which was added for extensions is not needed any more'
45 ),
46 deprecated_since='17.0.0'),
47]
48
49
50def list_rules():
51 return config_drive_policies
diff --git a/nova/policies/extended_availability_zone.py b/nova/policies/extended_availability_zone.py
deleted file mode 100644
index 974b909..0000000
--- a/nova/policies/extended_availability_zone.py
+++ /dev/null
@@ -1,51 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from nova.policies import base
19
20
21BASE_POLICY_NAME = 'os_compute_api:os-extended-availability-zone'
22
23
24extended_availability_zone_policies = [
25 policy.DocumentedRuleDefault(
26 BASE_POLICY_NAME,
27 base.RULE_ADMIN_OR_OWNER,
28 "Add `OS-EXT-AZ:availability_zone` into the server response",
29 [
30 {
31 'method': 'GET',
32 'path': '/servers/{id}'
33 },
34 {
35 'method': 'GET',
36 'path': '/servers/detail'
37 }
38 ],
39 deprecated_for_removal=True,
40 deprecated_reason=(
41 'Nova API extension concept has been removed in Pike. Those '
42 'extensions have their own policies enforcement. As there is '
43 'no extensions now, "os_compute_api:os-extended-availability-zone"'
44 ' policy which was added for extensions is not needed any more'
45 ),
46 deprecated_since='17.0.0'),
47]
48
49
50def list_rules():
51 return extended_availability_zone_policies
diff --git a/nova/policies/extended_status.py b/nova/policies/extended_status.py
deleted file mode 100644
index c65a4a2..0000000
--- a/nova/policies/extended_status.py
+++ /dev/null
@@ -1,58 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from nova.policies import base
19
20
21BASE_POLICY_NAME = 'os_compute_api:os-extended-status'
22
23
24extended_status_policies = [
25 policy.DocumentedRuleDefault(
26 BASE_POLICY_NAME,
27 base.RULE_ADMIN_OR_OWNER,
28 """Return extended status in the response of server.
29
30This policy will control the visibility for a set of attributes:
31
32- ``OS-EXT-STS:task_state``
33- ``OS-EXT-STS:vm_state``
34- ``OS-EXT-STS:power_state``
35""",
36 [
37 {
38 'method': 'GET',
39 'path': '/servers/{id}'
40 },
41 {
42 'method': 'GET',
43 'path': '/servers/detail'
44 }
45 ],
46 deprecated_for_removal=True,
47 deprecated_reason=(
48 'Nova API extension concept has been removed in Pike. Those '
49 'extensions have their own policies enforcement. As there is '
50 'no extensions now, "os_compute_api:os-extended-status" policy '
51 'which was added for extensions is not needed any more'
52 ),
53 deprecated_since='17.0.0'),
54]
55
56
57def list_rules():
58 return extended_status_policies
diff --git a/nova/policies/extended_volumes.py b/nova/policies/extended_volumes.py
deleted file mode 100644
index bf0202b..0000000
--- a/nova/policies/extended_volumes.py
+++ /dev/null
@@ -1,52 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from nova.policies import base
19
20
21BASE_POLICY_NAME = 'os_compute_api:os-extended-volumes'
22
23
24extended_volumes_policies = [
25 policy.DocumentedRuleDefault(
26 BASE_POLICY_NAME,
27 base.RULE_ADMIN_OR_OWNER,
28 "Return 'os-extended-volumes:volumes_attached' in the response of "
29 "server",
30 [
31 {
32 'method': 'GET',
33 'path': '/servers/{id}'
34 },
35 {
36 'method': 'GET',
37 'path': '/servers/detail'
38 }
39 ],
40 deprecated_for_removal=True,
41 deprecated_reason=(
42 'Nova API extension concept has been removed in Pike. Those '
43 'extensions have their own policies enforcement. As there is '
44 'no extensions now, "os_compute_api:os-extended-volumes" policy '
45 'which was added for extensions is not needed any more'
46 ),
47 deprecated_since='17.0.0'),
48]
49
50
51def list_rules():
52 return extended_volumes_policies
diff --git a/nova/policies/flavor_access.py b/nova/policies/flavor_access.py
index 0358122..3506292 100644
--- a/nova/policies/flavor_access.py
+++ b/nova/policies/flavor_access.py
@@ -49,9 +49,7 @@ flavor_access_policies = [
49 base.RULE_ADMIN_OR_OWNER, 49 base.RULE_ADMIN_OR_OWNER,
50 """List flavor access information 50 """List flavor access information
51 51
52Adds the os-flavor-access:is_public key into several flavor APIs. 52Allows access to the full list of tenants that have access
53
54It also allows access to the full list of tenants that have access
55to a flavor via an os-flavor-access API. 53to a flavor via an os-flavor-access API.
56""", 54""",
57 [ 55 [
@@ -59,36 +57,7 @@ to a flavor via an os-flavor-access API.
59 'method': 'GET', 57 'method': 'GET',
60 'path': '/flavors/{flavor_id}/os-flavor-access' 58 'path': '/flavors/{flavor_id}/os-flavor-access'
61 }, 59 },
62 { 60 ]),
63 'method': 'GET',
64 'path': '/flavors/detail'
65 },
66 {
67 'method': 'GET',
68 'path': '/flavors/{flavor_id}'
69 },
70 {
71 'method': 'POST',
72 'path': '/flavors'
73 },
74 {
75 'method': 'PUT',
76 'path': '/flavors/{flavor_id}'
77 },
78 ],
79 deprecated_for_removal=True,
80 deprecated_reason=(
81 'Nova API extension concept has been removed in Pike. Those '
82 'extensions have their own policies enforcement. As there is '
83 'no extensions now, "os_compute_api:os-flavor-access" policy '
84 'for POST, PUT, GET /flavors which was added for extensions is '
85 'not needed any more. NOTE: This policy is deprecated only for '
86 'POST /flavors, PUT /flavors, GET /flavors/{flavor_id} & '
87 'GET /flavors/detail. This policy for other API operations is '
88 'still valid and not deprecated'
89
90 ),
91 deprecated_since='17.0.0'),
92] 61]
93 62
94 63
diff --git a/nova/policies/flavor_rxtx.py b/nova/policies/flavor_rxtx.py
deleted file mode 100644
index 86e399b..0000000
--- a/nova/policies/flavor_rxtx.py
+++ /dev/null
@@ -1,60 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16
17from oslo_policy import policy
18
19from nova.policies import base
20
21
22BASE_POLICY_NAME = 'os_compute_api:os-flavor-rxtx'
23
24
25flavor_rxtx_policies = [
26 policy.DocumentedRuleDefault(
27 BASE_POLICY_NAME,
28 base.RULE_ADMIN_OR_OWNER,
29 "Add the rxtx_factor key into some Flavor APIs",
30 [
31 {
32 'method': 'GET',
33 'path': '/flavors/detail'
34 },
35 {
36 'method': 'GET',
37 'path': '/flavors/{flavor_id}'
38 },
39 {
40 'method': 'POST',
41 'path': '/flavors'
42 },
43 {
44 'method': 'PUT',
45 'path': '/flavors/{flavor_id}'
46 },
47 ],
48 deprecated_for_removal=True,
49 deprecated_reason=(
50 'Nova API extension concept has been removed in Pike. Those '
51 'extensions have their own policies enforcement. As there is '
52 'no extensions now, "os_compute_api:os-flavor-rxtx" policy '
53 'which was added for extensions is not needed any more'
54 ),
55 deprecated_since='17.0.0'),
56]
57
58
59def list_rules():
60 return flavor_rxtx_policies
diff --git a/nova/policies/image_size.py b/nova/policies/image_size.py
deleted file mode 100644
index 1cb08a9..0000000
--- a/nova/policies/image_size.py
+++ /dev/null
@@ -1,51 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from nova.policies import base
19
20
21BASE_POLICY_NAME = 'os_compute_api:image-size'
22
23
24image_size_policies = [
25 policy.DocumentedRuleDefault(
26 BASE_POLICY_NAME,
27 base.RULE_ADMIN_OR_OWNER,
28 """Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.""",
29 [
30 {
31 'method': 'GET',
32 'path': '/images/{id}'
33 },
34 {
35 'method': 'GET',
36 'path': '/images/detail'
37 }
38 ],
39 deprecated_for_removal=True,
40 deprecated_reason=(
41 'Nova API extension concept has been removed in Pike. Those '
42 'extensions have their own policies enforcement. As there is '
43 'no extensions now, "os_compute_api:image-size" policy '
44 'which was added for extensions is not needed any more'
45 ),
46 deprecated_since='17.0.0'),
47]
48
49
50def list_rules():
51 return image_size_policies
diff --git a/nova/policies/keypairs.py b/nova/policies/keypairs.py
index 6dd1ea6..5d228ed 100644
--- a/nova/policies/keypairs.py
+++ b/nova/policies/keypairs.py
@@ -15,10 +15,7 @@
15 15
16from oslo_policy import policy 16from oslo_policy import policy
17 17
18from nova.policies import base
19 18
20
21BASE_POLICY_NAME = 'os_compute_api:os-keypairs'
22POLICY_ROOT = 'os_compute_api:os-keypairs:%s' 19POLICY_ROOT = 'os_compute_api:os-keypairs:%s'
23 20
24 21
@@ -63,28 +60,6 @@ keypairs_policies = [
63 'method': 'GET' 60 'method': 'GET'
64 } 61 }
65 ]), 62 ]),
66 policy.DocumentedRuleDefault(
67 BASE_POLICY_NAME,
68 base.RULE_ADMIN_OR_OWNER,
69 "Return 'key_name' in the response of server.",
70 [
71 {
72 'path': '/servers/{id}',
73 'method': 'GET',
74 },
75 {
76 'path': '/servers/detail',
77 'method': 'GET'
78 }
79 ],
80 deprecated_for_removal=True,
81 deprecated_reason=(
82 'Nova API extension concept has been removed in Pike. Those '
83 'extensions have their own policies enforcement. As there is '
84 'no extensions now, "os_compute_api:os-keypairs" policy '
85 'which was added for extensions is not needed any more'
86 ),
87 deprecated_since='17.0.0'),
88] 63]
89 64
90 65
diff --git a/nova/policies/security_groups.py b/nova/policies/security_groups.py
index b104f1b..c159ae6 100644
--- a/nova/policies/security_groups.py
+++ b/nova/policies/security_groups.py
@@ -34,8 +34,7 @@ APIs are deprecated.
34 34
35APIs which are related to server resource are not deprecated: 35APIs which are related to server resource are not deprecated:
36Lists Security Groups for a server. Add Security Group to a server 36Lists Security Groups for a server. Add Security Group to a server
37and remove security group from a server. Expand security_groups in 37and remove security group from a server.""",
38server representation""",
39 [ 38 [
40 { 39 {
41 'method': 'GET', 40 'method': 'GET',
@@ -69,31 +68,8 @@ server representation""",
69 'method': 'POST', 68 'method': 'POST',
70 'path': '/servers/{server_id}/action (removeSecurityGroup)' 69 'path': '/servers/{server_id}/action (removeSecurityGroup)'
71 }, 70 },
72 {
73 'method': 'POST',
74 'path': '/servers'
75 },
76 {
77 'method': 'GET',
78 'path': '/servers/{server_id}'
79 },
80 {
81 'method': 'GET',
82 'path': '/servers/detail'
83 }
84 ], 71 ],
85 deprecated_for_removal=True,
86 deprecated_reason=(
87 'Nova API extension concept has been removed in Pike. Those '
88 'extensions have their own policies enforcement. As there is '
89 'no extensions now, "os_compute_api:os-security-groups" policy '
90 'for POST, GET /servers which was added for extensions is not '
91 'needed any more. NOTE: This policy is deprecated only for '
92 'POST /servers, GET /servers/{server_id} & GET /servers/detail. '
93 'This policy for other API operations is still valid and not '
94 'deprecated'
95 ), 72 ),
96 deprecated_since='17.0.0'),
97] 73]
98 74
99 75
diff --git a/nova/policies/server_usage.py b/nova/policies/server_usage.py
deleted file mode 100644
index a270b19..0000000
--- a/nova/policies/server_usage.py
+++ /dev/null
@@ -1,58 +0,0 @@
1# Copyright 2016 Cloudbase Solutions Srl
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from nova.policies import base
19
20
21BASE_POLICY_NAME = 'os_compute_api:os-server-usage'
22
23
24server_usage_policies = [
25 policy.DocumentedRuleDefault(
26 BASE_POLICY_NAME,
27 base.RULE_ADMIN_OR_OWNER,
28 """Add 'OS-SRV-USG:launched_at' & 'OS-SRV-USG:terminated_at' attribute
29in the server response.
30
31This check is performed only after the check
32'os_compute_api:servers:show' for GET /servers/{id} and
33'os_compute_api:servers:detail' for GET /servers/detail passes""",
34
35
36 [
37 {
38 'method': 'GET',
39 'path': '/servers/{id}'
40 },
41 {
42 'method': 'GET',
43 'path': '/servers/detail'
44 }
45 ],
46 deprecated_for_removal=True,
47 deprecated_reason=(
48 'Nova API extension concept has been removed in Pike. Those '
49 'extensions have their own policies enforcement. As there is '
50 'no extensions now, "os_compute_api:os-server-usage" policy '
51 'which was added for extensions is not needed any more'
52 ),
53 deprecated_since='17.0.0'),
54]
55
56
57def list_rules():
58 return server_usage_policies
diff --git a/nova/tests/unit/api/openstack/compute/test_extended_volumes.py b/nova/tests/unit/api/openstack/compute/test_extended_volumes.py
index 8fb8e77..f1d79d4 100644
--- a/nova/tests/unit/api/openstack/compute/test_extended_volumes.py
+++ b/nova/tests/unit/api/openstack/compute/test_extended_volumes.py
@@ -219,29 +219,3 @@ class ExtendedVolumesTestV23(ExtendedVolumesTestV21):
219 ], 219 ],
220 ] 220 ]
221 wsgi_api_version = '2.3' 221 wsgi_api_version = '2.3'
222
223
224class ExtendedVolumesEnforcementV21(test.NoDBTestCase):
225
226 def setUp(self):
227 super(ExtendedVolumesEnforcementV21, self).setUp()
228 self.controller = extended_volumes_v21.ExtendedVolumesController()
229 self.req = fakes.HTTPRequest.blank('')
230
231 @mock.patch.object(extended_volumes_v21.ExtendedVolumesController,
232 '_extend_server')
233 def test_extend_show_policy_failed(self, mock_extend):
234 rule_name = 'os_compute_api:os-extended-volumes'
235 self.policy.set_rules({rule_name: "project:non_fake"})
236 # Pass ResponseObj as None, the code shouldn't touch the None.
237 self.controller.show(self.req, None, fakes.FAKE_UUID)
238 self.assertFalse(mock_extend.called)
239
240 @mock.patch.object(extended_volumes_v21.ExtendedVolumesController,
241 '_extend_server')
242 def test_extend_detail_policy_failed(self, mock_extend):
243 rule_name = 'os_compute_api:os-extended-volumes'
244 self.policy.set_rules({rule_name: "project:non_fake"})
245 # Pass ResponseObj as None, the code shouldn't touch the None.
246 self.controller.detail(self.req, None)
247 self.assertFalse(mock_extend.called)
diff --git a/nova/tests/unit/api/openstack/compute/test_flavors.py b/nova/tests/unit/api/openstack/compute/test_flavors.py
index 1abc89e..b95b030 100644
--- a/nova/tests/unit/api/openstack/compute/test_flavors.py
+++ b/nova/tests/unit/api/openstack/compute/test_flavors.py
@@ -779,54 +779,6 @@ class FlavorsTestV2_61(FlavorsTestV2_55):
779 expect_extra_specs = True 779 expect_extra_specs = True
780 780
781 781
782class FlavorsPolicyEnforcementV21(test.NoDBTestCase):
783
784 def setUp(self):
785 super(FlavorsPolicyEnforcementV21, self).setUp()
786 self.flavor_controller = flavors_v21.FlavorsController()
787 fakes.stub_out_flavor_get_by_flavor_id(self)
788 fakes.stub_out_flavor_get_all(self)
789 self.req = fakes.HTTPRequest.blank('')
790
791 def test_show_flavor_access_policy_failed(self):
792 rule_name = "os_compute_api:os-flavor-access"
793 self.policy.set_rules({rule_name: "project:non_fake"})
794 resp = self.flavor_controller.show(self.req, '1')
795 self.assertNotIn('os-flavor-access:is_public', resp['flavor'])
796
797 def test_detail_flavor_access_policy_failed(self):
798 rule_name = "os_compute_api:os-flavor-access"
799 self.policy.set_rules({rule_name: "project:non_fake"})
800 resp = self.flavor_controller.detail(self.req)
801 self.assertNotIn('os-flavor-access:is_public', resp['flavors'][0])
802
803 def test_show_flavor_rxtx_policy_failed(self):
804 rule_name = "os_compute_api:os-flavor-rxtx"
805 self.policy.set_rules({rule_name: "project:non_fake"})
806 resp = self.flavor_controller.show(self.req, '1')
807 self.assertNotIn('rxtx_factor', resp['flavor'])
808
809 def test_detail_flavor_rxtx_policy_failed(self):
810 rule_name = "os_compute_api:os-flavor-rxtx"
811 self.policy.set_rules({rule_name: "project:non_fake"})
812 resp = self.flavor_controller.detail(self.req)
813 self.assertNotIn('rxtx_factor', resp['flavors'][0])
814
815 def test_create_flavor_extended_policy_failed(self):
816 rules = {"os_compute_api:os-flavor-rxtx": "project:non_fake",
817 "os_compute_api:os-flavor-access": "project:non_fake"}
818 self.policy.set_rules(rules)
819 resp = self.flavor_controller.detail(self.req)
820 self.assertNotIn('rxtx_factor', resp['flavors'][0])
821
822 def test_update_flavor_extended_policy_failed(self):
823 rules = {"os_compute_api:os-flavor-rxtx": "project:non_fake",
824 "os_compute_api:os-flavor-access": "project:non_fake"}
825 self.policy.set_rules(rules)
826 resp = self.flavor_controller.detail(self.req)
827 self.assertNotIn('rxtx_factor', resp['flavors'][0])
828
829
830class DisabledFlavorsWithRealDBTestV21(test.TestCase): 782class DisabledFlavorsWithRealDBTestV21(test.TestCase):
831 """Tests that disabled flavors should not be shown nor listed.""" 783 """Tests that disabled flavors should not be shown nor listed."""
832 Controller = flavors_v21.FlavorsController 784 Controller = flavors_v21.FlavorsController
diff --git a/nova/tests/unit/api/openstack/compute/test_security_groups.py b/nova/tests/unit/api/openstack/compute/test_security_groups.py
index a3331b4..436d0a6 100644
--- a/nova/tests/unit/api/openstack/compute/test_security_groups.py
+++ b/nova/tests/unit/api/openstack/compute/test_security_groups.py
@@ -21,7 +21,6 @@ import webob
21 21
22from nova.api.openstack.compute import security_groups as \ 22from nova.api.openstack.compute import security_groups as \
23 secgroups_v21 23 secgroups_v21
24from nova.api.openstack import wsgi
25from nova import compute 24from nova import compute
26from nova.compute import power_state 25from nova.compute import power_state
27from nova import context as context_maker 26from nova import context as context_maker
@@ -1537,56 +1536,6 @@ class SecurityGroupsOutputTestV21(test.TestCase):
1537 self.assertEqual(res.status_int, 404) 1536 self.assertEqual(res.status_int, 404)
1538 1537
1539 1538
1540class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
1541
1542 def setUp(self):
1543 super(SecurityGroupsOutputPolicyEnforcementV21, self).setUp()
1544 self.controller = secgroups_v21.SecurityGroupsOutputController()
1545 self.req = fakes.HTTPRequest.blank('')
1546 self.rule_name = "os_compute_api:os-security-groups"
1547 self.rule = {self.rule_name: "project:non_fake"}
1548 self.policy.set_rules(self.rule)
1549 self.fake_res = wsgi.ResponseObject({
1550 'server': {'id': '0'},
1551 'servers': [{'id': '0'}, {'id': '2'}]})
1552
1553 @mock.patch('nova.policy.authorize')
1554 def test_show_policy_softauth_is_called(self, mock_authorize):
1555 mock_authorize.return_value = False
1556 self.controller.show(self.req, self.fake_res, FAKE_UUID1)
1557 self.assertTrue(mock_authorize.called)
1558
1559 @mock.patch.object(nova.network.security_group.openstack_driver,
1560 "is_neutron_security_groups")
1561 def test_show_policy_failed(self, is_neutron_security_groups):
1562 self.controller.show(self.req, self.fake_res, FAKE_UUID1)
1563 self.assertFalse(is_neutron_security_groups.called)
1564
1565 @mock.patch('nova.policy.authorize')
1566 def test_create_policy_softauth_is_called(self, mock_authorize):
1567 mock_authorize.return_value = False
1568 self.controller.show(self.req, self.fake_res, {})
1569 self.assertTrue(mock_authorize.called)
1570
1571 @mock.patch.object(nova.network.security_group.openstack_driver,
1572 "is_neutron_security_groups")
1573 def test_create_policy_failed(self, is_neutron_security_groups):
1574 self.controller.create(self.req, self.fake_res, {})
1575 self.assertFalse(is_neutron_security_groups.called)
1576
1577 @mock.patch('nova.policy.authorize')
1578 def test_detail_policy_softauth_is_called(self, mock_authorize):
1579 mock_authorize.return_value = False
1580 self.controller.detail(self.req, self.fake_res)
1581 self.assertTrue(mock_authorize.called)
1582
1583 @mock.patch.object(nova.network.security_group.openstack_driver,
1584 "is_neutron_security_groups")
1585 def test_detail_policy_failed(self, is_neutron_security_groups):
1586 self.controller.detail(self.req, self.fake_res)
1587 self.assertFalse(is_neutron_security_groups.called)
1588
1589
1590class PolicyEnforcementV21(test.NoDBTestCase): 1539class PolicyEnforcementV21(test.NoDBTestCase):
1591 1540
1592 def setUp(self): 1541 def setUp(self):
diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index a5afc02..0e4fc19 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -368,7 +368,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
368"os_compute_api:os-suspend-server:resume", 368"os_compute_api:os-suspend-server:resume",
369"os_compute_api:os-tenant-networks", 369"os_compute_api:os-tenant-networks",
370"os_compute_api:extensions", 370"os_compute_api:extensions",
371"os_compute_api:os-config-drive",
372"os_compute_api:servers:confirm_resize", 371"os_compute_api:servers:confirm_resize",
373"os_compute_api:servers:create", 372"os_compute_api:servers:create",
374"os_compute_api:servers:create:attach_network", 373"os_compute_api:servers:create:attach_network",
@@ -398,26 +397,19 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
398"os_compute_api:os-console-output", 397"os_compute_api:os-console-output",
399"os_compute_api:os-remote-consoles", 398"os_compute_api:os-remote-consoles",
400"os_compute_api:os-deferred-delete", 399"os_compute_api:os-deferred-delete",
401"os_compute_api:os-extended-status",
402"os_compute_api:os-extended-availability-zone",
403"os_compute_api:os-extended-volumes",
404"os_compute_api:os-flavor-access", 400"os_compute_api:os-flavor-access",
405"os_compute_api:os-flavor-rxtx",
406"os_compute_api:flavors", 401"os_compute_api:flavors",
407"os_compute_api:os-flavor-extra-specs:index", 402"os_compute_api:os-flavor-extra-specs:index",
408"os_compute_api:os-flavor-extra-specs:show", 403"os_compute_api:os-flavor-extra-specs:show",
409"os_compute_api:os-floating-ip-pools", 404"os_compute_api:os-floating-ip-pools",
410"os_compute_api:os-floating-ips", 405"os_compute_api:os-floating-ips",
411"os_compute_api:image-size",
412"os_compute_api:os-instance-actions", 406"os_compute_api:os-instance-actions",
413"os_compute_api:os-keypairs",
414"os_compute_api:limits", 407"os_compute_api:limits",
415"os_compute_api:os-multinic", 408"os_compute_api:os-multinic",
416"os_compute_api:os-networks:view", 409"os_compute_api:os-networks:view",
417"os_compute_api:os-rescue", 410"os_compute_api:os-rescue",
418"os_compute_api:os-security-groups", 411"os_compute_api:os-security-groups",
419"os_compute_api:os-server-password", 412"os_compute_api:os-server-password",
420"os_compute_api:os-server-usage",
421"os_compute_api:os-server-groups", 413"os_compute_api:os-server-groups",
422"os_compute_api:os-server-tags:delete", 414"os_compute_api:os-server-tags:delete",
423"os_compute_api:os-server-tags:delete_all", 415"os_compute_api:os-server-tags:delete_all",
diff --git a/releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml b/releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml
new file mode 100644
index 0000000..7095775
--- /dev/null
+++ b/releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml
@@ -0,0 +1,26 @@
1---
2upgrade:
3 - |
4 The following deprecated Policy Rules have been removed:
5
6 - Show & List server details
7
8 - os_compute_api:os-config-drive
9 - os_compute_api:os-extended-availability-zone
10 - os_compute_api:os-extended-status
11 - os_compute_api:os-extended-volumes
12 - os_compute_api:os-keypairs
13 - os_compute_api:os-server-usage
14 - os_compute_api:os-security-groups (only from /servers APIs)
15
16 - Create, Update, Show & List flavor details
17
18 - os_compute_api:os-flavor-rxtx
19 - os_compute_api:os-flavor-access (only from /flavors APIs)
20
21 - Show & List image details
22
23 - os_compute_api:image-size
24
25 These were deprecated in the 17.0.0 release as nova removed the concept
26 of API extensions.