Add new default roles in server migration policies
This adds new defaults roles in server migration API policies. This policy is default to SYSTEM_ADMIN for POST and SYSTEM_READER for GET policy. Also add tests to simulates the future where we drop the deprecation fall back in the policy by overriding the rules with a version where there are no deprecated rule options. Operators can do the same by adding overrides in their policy files that match the default but stop the rule deprecation fallback from happening. Partial implement blueprint policy-defaults-refresh Change-Id: I325ee0f197b5834718e86d9462b84882dd487f6a
This commit is contained in:
parent
02d4adae71
commit
bc9a97bb2a
|
@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:servers:migrations:%s'
|
|||
servers_migrations_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="Show details for an in-progress live migration for a "
|
||||
"given server",
|
||||
operations=[
|
||||
|
@ -36,7 +36,7 @@ servers_migrations_policies = [
|
|||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'force_complete',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="Force an in-progress live migration for a given server "
|
||||
"to complete",
|
||||
operations=[
|
||||
|
@ -49,7 +49,7 @@ servers_migrations_policies = [
|
|||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="Delete(Abort) an in-progress live migration",
|
||||
operations=[
|
||||
{
|
||||
|
@ -60,7 +60,7 @@ servers_migrations_policies = [
|
|||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="Lists in-progress live migrations for a given server",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -21,6 +21,9 @@ policy_data = """
|
|||
"os_compute_api:servers:show:host_status:unknown-only": "",
|
||||
"os_compute_api:servers:allow_all_filters": "",
|
||||
"os_compute_api:servers:migrations:force_complete": "",
|
||||
"os_compute_api:servers:migrations:index": "",
|
||||
"os_compute_api:servers:migrations:show": "",
|
||||
"os_compute_api:servers:migrations:delete": "",
|
||||
"os_compute_api:os-admin-actions:inject_network_info": "",
|
||||
"os_compute_api:os-admin-actions:reset_network": "",
|
||||
"os_compute_api:os-admin-actions:reset_state": "",
|
||||
|
|
|
@ -56,12 +56,24 @@ class ServerMigrationsPolicyTest(base.BasePolicyTest):
|
|||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
# Check that system-reader are able to perform operations
|
||||
# for server migrations.
|
||||
self.reader_authorized_contexts = [
|
||||
self.system_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.legacy_admin_context,
|
||||
self.project_admin_context]
|
||||
# Check that non-system-reader are not able to perform operations
|
||||
# for server migrations.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.project_foo_context, self.project_member_context,
|
||||
self.project_reader_context]
|
||||
|
||||
@mock.patch('nova.compute.api.API.get_migrations_in_progress_by_instance')
|
||||
def test_list_server_migrations_policy(self, mock_get):
|
||||
rule_name = policies.POLICY_ROOT % 'index'
|
||||
self.common_policy_check(self.admin_authorized_contexts,
|
||||
self.admin_unauthorized_contexts,
|
||||
self.common_policy_check(self.reader_authorized_contexts,
|
||||
self.reader_unauthorized_contexts,
|
||||
rule_name, self.controller.index,
|
||||
self.req, self.instance.uuid)
|
||||
|
||||
|
@ -71,8 +83,8 @@ class ServerMigrationsPolicyTest(base.BasePolicyTest):
|
|||
rule_name = policies.POLICY_ROOT % 'show'
|
||||
mock_show.return_value = {"migration_type": "live-migration",
|
||||
"status": "running"}
|
||||
self.common_policy_check(self.admin_authorized_contexts,
|
||||
self.admin_unauthorized_contexts,
|
||||
self.common_policy_check(self.reader_authorized_contexts,
|
||||
self.reader_unauthorized_contexts,
|
||||
rule_name, self.controller.show,
|
||||
self.req, self.instance.uuid, 11111)
|
||||
|
||||
|
@ -107,3 +119,40 @@ class ServerMigrationsScopeTypePolicyTest(ServerMigrationsPolicyTest):
|
|||
def setUp(self):
|
||||
super(ServerMigrationsScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
|
||||
class ServerMigrationsNoLegacyPolicyTest(ServerMigrationsScopeTypePolicyTest):
|
||||
"""Test Server Migrations APIs policies with system scope enabled,
|
||||
and no more deprecated rules.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
|
||||
def setUp(self):
|
||||
super(ServerMigrationsNoLegacyPolicyTest, self).setUp()
|
||||
# Check that admin is able to perform operations
|
||||
# for server migrations.
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context
|
||||
]
|
||||
# Check that non-admin is not able to perform operations
|
||||
# for server migrations.
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context,
|
||||
self.other_project_member_context
|
||||
]
|
||||
# Check that system reader is able to perform operations
|
||||
# for server migrations.
|
||||
self.reader_authorized_contexts = [
|
||||
self.system_admin_context, self.system_member_context,
|
||||
self.system_reader_context]
|
||||
# Check that non-system-reader is not able to perform operations
|
||||
# for server migrations.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.system_foo_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
|
|
@ -363,8 +363,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-server-external-events:create",
|
||||
"os_compute_api:os-volumes-attachments:update",
|
||||
"os_compute_api:servers:create:zero_disk_flavor",
|
||||
"os_compute_api:servers:migrations:index",
|
||||
"os_compute_api:servers:migrations:show",
|
||||
)
|
||||
|
||||
self.admin_or_owner_rules = (
|
||||
|
@ -455,6 +453,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
)
|
||||
|
||||
self.system_reader_rules = (
|
||||
"os_compute_api:servers:migrations:index",
|
||||
"os_compute_api:servers:migrations:show",
|
||||
"os_compute_api:os-migrations:index",
|
||||
"os_compute_api:os-services:list",
|
||||
"os_compute_api:os-instance-actions:events:details",
|
||||
|
|
Loading…
Reference in New Issue