Merge "Add new default roles in quota class policies"

author: Zuul <zuul@review.opendev.org> 2020-04-21 08:39:41 +0000
committer: Gerrit Code Review <review@openstack.org> 2020-04-21 08:39:41 +0000
commit: 9d88f821df7be2eb7153883f9dd1ec55051ab0ff (patch)
tree: 83b8aed096f897bd89936b48e395c52ad92af421
parent: 418eb770fcd039612eadc72d2b7e19985428acd6 (diff)
parent: b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d (diff)
download: nova-9d88f821df7be2eb7153883f9dd1ec55051ab0ff.tar.gz
2 files changed, 39 insertions, 6 deletions
diff --git a/nova/policies/quota_class_sets.py b/nova/policies/quota_class_sets.py
index 81841489a3..5a41a79bec 100644
--- a/nova/policies/quota_class_sets.py
+++ b/nova/policies/quota_class_sets.py
@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s'
 quota_class_sets_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str='is_admin:True or quota_class:%(quota_class)s',
+        check_str=base.SYSTEM_READER,
         description="List quotas for specific quota classs",
         operations=[
             {
@@ -35,7 +35,7 @@ quota_class_sets_policies = [
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'update',
-        check_str=base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_ADMIN,
         description='Update quotas for specific quota class',
         operations=[
             {
diff --git a/nova/tests/unit/policies/test_quota_class_sets.py b/nova/tests/unit/policies/test_quota_class_sets.py
index 71471fae42..4f9b228bc8 100644
--- a/nova/tests/unit/policies/test_quota_class_sets.py
+++ b/nova/tests/unit/policies/test_quota_class_sets.py
@@ -31,17 +31,28 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
         self.controller = quota_classes.QuotaClassSetsController()
         self.req = fakes.HTTPRequest.blank('')
 
-        # Check that admin is able to update and get quota class
+        # Check that admin is able to update quota class
         self.admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
             self.project_admin_context]
-        # Check that non-admin is not able to update and get quota class
+        # Check that non-admin is not able to update quota class
         self.admin_unauthorized_contexts = [
             self.system_member_context, self.system_reader_context,
             self.system_foo_context, self.project_member_context,
             self.project_reader_context, self.project_foo_context,
             self.other_project_member_context
         ]
+        # Check that system reader is able to get quota class
+        self.system_reader_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system reader is not able to get quota class
+        self.system_reader_unauthorized_contexts = [
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]
 
     @mock.patch('nova.objects.Quotas.update_class')
     def test_update_quota_class_sets_policy(self, mock_update):
@@ -61,8 +72,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
     @mock.patch('nova.quota.QUOTAS.get_class_quotas')
     def test_show_quota_class_sets_policy(self, mock_get):
         rule_name = policies.POLICY_ROOT % 'show'
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
+        self.common_policy_check(self.system_reader_authorized_contexts,
+                                 self.system_reader_unauthorized_contexts,
                                  rule_name,
                                  self.controller.show,
                                  self.req, 'test_class')
@@ -92,3 +103,25 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
             self.project_reader_context, self.project_foo_context,
             self.other_project_member_context
         ]
+        # Check that system reader is able to get quota class
+        self.system_reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system reader is not able to get quota class
+        self.system_reader_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]
+
+
+class QuotaClassSetsNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest):
+    """Test Quota Class Sets APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(QuotaClassSetsNoLegacyPolicyTest, self).setUp()
author	Zuul <zuul@review.opendev.org>	2020-04-21 08:39:41 +0000
committer	Gerrit Code Review <review@openstack.org>	2020-04-21 08:39:41 +0000
commit	9d88f821df7be2eb7153883f9dd1ec55051ab0ff (patch)
tree	83b8aed096f897bd89936b48e395c52ad92af421
parent	418eb770fcd039612eadc72d2b7e19985428acd6 (diff)
parent	b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d (diff)
download	nova-9d88f821df7be2eb7153883f9dd1ec55051ab0ff.tar.gz