diff options
author | Zuul <zuul@review.opendev.org> | 2020-04-21 08:39:41 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-04-21 08:39:41 +0000 |
commit | 9d88f821df7be2eb7153883f9dd1ec55051ab0ff (patch) | |
tree | 83b8aed096f897bd89936b48e395c52ad92af421 | |
parent | 418eb770fcd039612eadc72d2b7e19985428acd6 (diff) | |
parent | b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d (diff) | |
download | nova-9d88f821df7be2eb7153883f9dd1ec55051ab0ff.tar.gz |
Merge "Add new default roles in quota class policies"
-rw-r--r-- | nova/policies/quota_class_sets.py | 4 | ||||
-rw-r--r-- | nova/tests/unit/policies/test_quota_class_sets.py | 41 |
2 files changed, 39 insertions, 6 deletions
diff --git a/nova/policies/quota_class_sets.py b/nova/policies/quota_class_sets.py index 81841489a3..5a41a79bec 100644 --- a/nova/policies/quota_class_sets.py +++ b/nova/policies/quota_class_sets.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s' quota_class_sets_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str='is_admin:True or quota_class:%(quota_class)s', + check_str=base.SYSTEM_READER, description="List quotas for specific quota classs", operations=[ { @@ -35,7 +35,7 @@ quota_class_sets_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, description='Update quotas for specific quota class', operations=[ { diff --git a/nova/tests/unit/policies/test_quota_class_sets.py b/nova/tests/unit/policies/test_quota_class_sets.py index 71471fae42..4f9b228bc8 100644 --- a/nova/tests/unit/policies/test_quota_class_sets.py +++ b/nova/tests/unit/policies/test_quota_class_sets.py @@ -31,17 +31,28 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): self.controller = quota_classes.QuotaClassSetsController() self.req = fakes.HTTPRequest.blank('') - # Check that admin is able to update and get quota class + # Check that admin is able to update quota class self.admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to update and get quota class + # Check that non-admin is not able to update quota class self.admin_unauthorized_contexts = [ self.system_member_context, self.system_reader_context, self.system_foo_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.other_project_member_context ] + # Check that system reader is able to get quota class + self.system_reader_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, + self.project_admin_context, self.system_member_context, + self.system_reader_context] + # Check that non-system reader is not able to get quota class + self.system_reader_unauthorized_contexts = [ + self.system_foo_context, self.project_member_context, + self.project_reader_context, self.project_foo_context, + self.other_project_member_context + ] @mock.patch('nova.objects.Quotas.update_class') def test_update_quota_class_sets_policy(self, mock_update): @@ -61,8 +72,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): @mock.patch('nova.quota.QUOTAS.get_class_quotas') def test_show_quota_class_sets_policy(self, mock_get): rule_name = policies.POLICY_ROOT % 'show' - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, + self.common_policy_check(self.system_reader_authorized_contexts, + self.system_reader_unauthorized_contexts, rule_name, self.controller.show, self.req, 'test_class') @@ -92,3 +103,25 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest): self.project_reader_context, self.project_foo_context, self.other_project_member_context ] + # Check that system reader is able to get quota class + self.system_reader_authorized_contexts = [ + self.system_admin_context, self.system_member_context, + self.system_reader_context] + # Check that non-system reader is not able to get quota class + self.system_reader_unauthorized_contexts = [ + self.legacy_admin_context, self.project_admin_context, + self.system_foo_context, self.project_member_context, + self.project_reader_context, self.project_foo_context, + self.other_project_member_context + ] + + +class QuotaClassSetsNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest): + """Test Quota Class Sets APIs policies with system scope enabled, + and no more deprecated rules that allow the legacy admin API to + access system APIs. + """ + without_deprecated_rules = True + + def setUp(self): + super(QuotaClassSetsNoLegacyPolicyTest, self).setUp() |