Introduce scope_types in security groups policy
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for security groups API policies as: - ['system', 'project'] for security groups policy. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Idf504dee1280017f3a39ad7d9c71110476fe9b45
This commit is contained in:
parent
f365955f9b
commit
5112e1687f
|
@ -23,9 +23,9 @@ BASE_POLICY_NAME = 'os_compute_api:os-security-groups'
|
|||
|
||||
security_groups_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
BASE_POLICY_NAME,
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"""List, show, add, or remove security groups.
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""List, show, add, or remove security groups.
|
||||
|
||||
APIs which are directly related to security groups resource are deprecated:
|
||||
Lists, shows information for, creates, updates and deletes
|
||||
|
@ -35,40 +35,41 @@ APIs are deprecated.
|
|||
APIs which are related to server resource are not deprecated:
|
||||
Lists Security Groups for a server. Add Security Group to a server
|
||||
and remove security group from a server.""",
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/os-security-groups'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/os-security-groups/{security_group_id}'
|
||||
},
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/os-security-groups'
|
||||
},
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/os-security-groups/{security_group_id}'
|
||||
},
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/os-security-groups/{security_group_id}'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/servers/{server_id}/os-security-groups'
|
||||
},
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/servers/{server_id}/action (addSecurityGroup)'
|
||||
},
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/servers/{server_id}/action (removeSecurityGroup)'
|
||||
},
|
||||
],
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/os-security-groups'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/os-security-groups/{security_group_id}'
|
||||
},
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/os-security-groups'
|
||||
},
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/os-security-groups/{security_group_id}'
|
||||
},
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/os-security-groups/{security_group_id}'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/servers/{server_id}/os-security-groups'
|
||||
},
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/servers/{server_id}/action (addSecurityGroup)'
|
||||
},
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/servers/{server_id}/action (removeSecurityGroup)'
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
),
|
||||
]
|
||||
|
||||
|
|
Loading…
Reference in New Issue