Introduce scope_types in servers attributes Policies

oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for server extended attr and host_status policies as 'system' and 'project'. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: I06cd5bd497ef287ccc279672a71e36b2d4bc2adc
author: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-04-13 19:10:26 -0500
committer: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-04-18 12:47:42 -0500
commit: 75f531d748aa9cf453c3c45056479b0501f19424 (patch)
tree: 39dc0e2894d5b4e264a1cde25b101a8eecfc7783
parent: 19eeacfa727b85c328c25a75d369082694cccc6d (diff)
download: nova-75f531d748aa9cf453c3c45056479b0501f19424.tar.gz
3 files changed, 25 insertions, 19 deletions
diff --git a/nova/policies/extended_server_attributes.py b/nova/policies/extended_server_attributes.py
index 40abacb99a..ab925f7c44 100644
--- a/nova/policies/extended_server_attributes.py
+++ b/nova/policies/extended_server_attributes.py
@@ -23,9 +23,9 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
 
 extended_server_attributes_policies = [
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
-        """Return extended attributes for server.
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API,
+        description="""Return extended attributes for server.
 
 This rule will control the visibility for a set of servers attributes:
 
@@ -43,7 +43,7 @@ Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}``
 and ``POST /servers/{server_id}/action (rebuild)`` API responses which are
 also controlled by this policy rule, like the ``GET /servers*`` APIs.
 """,
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{id}'
@@ -60,7 +60,8 @@ also controlled by this policy rule, like the ``GET /servers*`` APIs.
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (rebuild)'
             }
-        ]
+        ],
+        scope_types=['system', 'project']
     ),
 ]
 
diff --git a/nova/policies/servers.py b/nova/policies/servers.py
index cf1bd2b9db..5c3b4078e8 100644
--- a/nova/policies/servers.py
+++ b/nova/policies/servers.py
@@ -98,9 +98,9 @@ rules = [
     # the details in host_status are pretty sensitive, only admins
     # should do that by default.
     policy.DocumentedRuleDefault(
-        SERVERS % 'show:host_status',
-        base.RULE_ADMIN_API,
-        """
+        name=SERVERS % 'show:host_status',
+        check_str=base.RULE_ADMIN_API,
+        description="""
 Show a server with additional host status information.
 
 This means host_status will be shown irrespective of status value. If showing
@@ -112,7 +112,7 @@ Microvision 2.75 added the ``host_status`` attribute in the
 API responses which are also controlled by this policy rule, like the
 ``GET /servers*`` APIs.
 """,
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}'
@@ -129,11 +129,12 @@ API responses which are also controlled by this policy rule, like the
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (rebuild)'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
-        SERVERS % 'show:host_status:unknown-only',
-        base.RULE_ADMIN_API,
-        """
+        name=SERVERS % 'show:host_status:unknown-only',
+        check_str=base.RULE_ADMIN_API,
+        description="""
 Show a server with additional host status information, only if host status is
 UNKNOWN.
 
@@ -144,7 +145,7 @@ request. An example policy configuration could be where the
 the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to
 allow everyone.
 """,
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}'
@@ -161,7 +162,8 @@ allow everyone.
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (rebuild)'
             }
-        ]),
+        ],
+        scope_types=['system', 'project'],),
     policy.DocumentedRuleDefault(
         name=SERVERS % 'create',
         check_str=base.PROJECT_MEMBER,
diff --git a/nova/tests/unit/policies/test_servers.py b/nova/tests/unit/policies/test_servers.py
index a09394d7a2..57409fd451 100644
--- a/nova/tests/unit/policies/test_servers.py
+++ b/nova/tests/unit/policies/test_servers.py
@@ -142,11 +142,13 @@ class ServersPolicyTest(base.BasePolicyTest):
             self.other_project_reader_context]
         self.everyone_unauthorized_contexts = [
         ]
-        # Check that admin is able to create server with host request.
+        # Check that admin is able to create server with host request
+        # and get server extended attributes or host status.
         self.admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
             self.project_admin_context]
-        # Check that non-admin is not able to create server with host request.
+        # Check that non-admin is not able to create server with host request
+        # and get server extended attributes or host status.
         self.admin_unauthorized_contexts = [
             self.system_member_context, self.system_reader_context,
             self.system_foo_context, self.project_member_context,
@@ -1159,12 +1161,13 @@ class ServersScopeTypePolicyTest(ServersPolicyTest):
         self.rule_attach_network = None
         self.rule_attach_volume = None
 
-        # Check that system admin is able to create server with host request.
+        # Check that system admin is able to create server with host request
+        # and get server extended attributes or host status.
         self.admin_authorized_contexts = [
             self.system_admin_context
         ]
         # Check that non-system/admin is not able to create server with
-        # host request.
+        # host request and get server extended attributes or host status.
         self.admin_unauthorized_contexts = [
             self.project_admin_context, self.legacy_admin_context,
             self.system_member_context, self.system_reader_context,
author	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-04-13 19:10:26 -0500
committer	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-04-18 12:47:42 -0500
commit	75f531d748aa9cf453c3c45056479b0501f19424 (patch)
tree	39dc0e2894d5b4e264a1cde25b101a8eecfc7783
parent	19eeacfa727b85c328c25a75d369082694cccc6d (diff)
download	nova-75f531d748aa9cf453c3c45056479b0501f19424.tar.gz