diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-04-13 19:10:26 -0500 |
---|---|---|
committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-04-18 12:47:42 -0500 |
commit | 75f531d748aa9cf453c3c45056479b0501f19424 (patch) | |
tree | 39dc0e2894d5b4e264a1cde25b101a8eecfc7783 | |
parent | 19eeacfa727b85c328c25a75d369082694cccc6d (diff) | |
download | nova-75f531d748aa9cf453c3c45056479b0501f19424.tar.gz |
Introduce scope_types in servers attributes Policies
oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
- https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
- http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope
This commit introduce scope_type for server extended attr and
host_status policies as 'system' and 'project'.
Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.
Partial implement blueprint policy-defaults-refresh
Change-Id: I06cd5bd497ef287ccc279672a71e36b2d4bc2adc
-rw-r--r-- | nova/policies/extended_server_attributes.py | 11 | ||||
-rw-r--r-- | nova/policies/servers.py | 22 | ||||
-rw-r--r-- | nova/tests/unit/policies/test_servers.py | 11 |
3 files changed, 25 insertions, 19 deletions
diff --git a/nova/policies/extended_server_attributes.py b/nova/policies/extended_server_attributes.py index 40abacb99a..ab925f7c44 100644 --- a/nova/policies/extended_server_attributes.py +++ b/nova/policies/extended_server_attributes.py @@ -23,9 +23,9 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes' extended_server_attributes_policies = [ policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - """Return extended attributes for server. + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API, + description="""Return extended attributes for server. This rule will control the visibility for a set of servers attributes: @@ -43,7 +43,7 @@ Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)`` API responses which are also controlled by this policy rule, like the ``GET /servers*`` APIs. """, - [ + operations=[ { 'method': 'GET', 'path': '/servers/{id}' @@ -60,7 +60,8 @@ also controlled by this policy rule, like the ``GET /servers*`` APIs. 'method': 'POST', 'path': '/servers/{server_id}/action (rebuild)' } - ] + ], + scope_types=['system', 'project'] ), ] diff --git a/nova/policies/servers.py b/nova/policies/servers.py index cf1bd2b9db..5c3b4078e8 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -98,9 +98,9 @@ rules = [ # the details in host_status are pretty sensitive, only admins # should do that by default. policy.DocumentedRuleDefault( - SERVERS % 'show:host_status', - base.RULE_ADMIN_API, - """ + name=SERVERS % 'show:host_status', + check_str=base.RULE_ADMIN_API, + description=""" Show a server with additional host status information. This means host_status will be shown irrespective of status value. If showing @@ -112,7 +112,7 @@ Microvision 2.75 added the ``host_status`` attribute in the API responses which are also controlled by this policy rule, like the ``GET /servers*`` APIs. """, - [ + operations=[ { 'method': 'GET', 'path': '/servers/{server_id}' @@ -129,11 +129,12 @@ API responses which are also controlled by this policy rule, like the 'method': 'POST', 'path': '/servers/{server_id}/action (rebuild)' } - ]), + ], + scope_types=['system', 'project']), policy.DocumentedRuleDefault( - SERVERS % 'show:host_status:unknown-only', - base.RULE_ADMIN_API, - """ + name=SERVERS % 'show:host_status:unknown-only', + check_str=base.RULE_ADMIN_API, + description=""" Show a server with additional host status information, only if host status is UNKNOWN. @@ -144,7 +145,7 @@ request. An example policy configuration could be where the the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to allow everyone. """, - [ + operations=[ { 'method': 'GET', 'path': '/servers/{server_id}' @@ -161,7 +162,8 @@ allow everyone. 'method': 'POST', 'path': '/servers/{server_id}/action (rebuild)' } - ]), + ], + scope_types=['system', 'project'],), policy.DocumentedRuleDefault( name=SERVERS % 'create', check_str=base.PROJECT_MEMBER, diff --git a/nova/tests/unit/policies/test_servers.py b/nova/tests/unit/policies/test_servers.py index a09394d7a2..57409fd451 100644 --- a/nova/tests/unit/policies/test_servers.py +++ b/nova/tests/unit/policies/test_servers.py @@ -142,11 +142,13 @@ class ServersPolicyTest(base.BasePolicyTest): self.other_project_reader_context] self.everyone_unauthorized_contexts = [ ] - # Check that admin is able to create server with host request. + # Check that admin is able to create server with host request + # and get server extended attributes or host status. self.admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to create server with host request. + # Check that non-admin is not able to create server with host request + # and get server extended attributes or host status. self.admin_unauthorized_contexts = [ self.system_member_context, self.system_reader_context, self.system_foo_context, self.project_member_context, @@ -1159,12 +1161,13 @@ class ServersScopeTypePolicyTest(ServersPolicyTest): self.rule_attach_network = None self.rule_attach_volume = None - # Check that system admin is able to create server with host request. + # Check that system admin is able to create server with host request + # and get server extended attributes or host status. self.admin_authorized_contexts = [ self.system_admin_context ] # Check that non-system/admin is not able to create server with - # host request. + # host request and get server extended attributes or host status. self.admin_unauthorized_contexts = [ self.project_admin_context, self.legacy_admin_context, self.system_member_context, self.system_reader_context, |