diff options
| author | Zuul <zuul@review.opendev.org> | 2019-12-26 06:48:34 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2019-12-26 06:48:34 +0000 |
| commit | 65aae518f81c2754e30429a3547c5cf62a3cf598 (patch) | |
| tree | 3b02fccbe833b410c9eab5ad2166e19f8a3993b0 | |
| parent | 029c84e08fa1436cc61cfb3d1bd68dbbbd8027b3 (diff) | |
| parent | dfaf229e0050ee65ccf31ec8aefc81b2b4226aea (diff) | |
| download | nova-65aae518f81c2754e30429a3547c5cf62a3cf598.tar.gz | |
Merge "Introduce scope_types in Admin Actions"
| -rw-r--r-- | nova/policies/admin_actions.py | 9 | ||||
| -rw-r--r-- | nova/tests/unit/policies/test_admin_actions.py | 14 |
2 files changed, 20 insertions, 3 deletions
diff --git a/nova/policies/admin_actions.py b/nova/policies/admin_actions.py index d408581044..7b4bceb756 100644 --- a/nova/policies/admin_actions.py +++ b/nova/policies/admin_actions.py @@ -31,7 +31,8 @@ admin_actions_policies = [ 'method': 'POST', 'path': '/servers/{server_id}/action (os-resetState)' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( POLICY_ROOT % 'inject_network_info', base.RULE_ADMIN_API, @@ -41,7 +42,8 @@ admin_actions_policies = [ 'method': 'POST', 'path': '/servers/{server_id}/action (injectNetworkInfo)' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( POLICY_ROOT % 'reset_network', base.RULE_ADMIN_API, @@ -51,7 +53,8 @@ admin_actions_policies = [ 'method': 'POST', 'path': '/servers/{server_id}/action (resetNetwork)' } - ]) + ], + scope_types=['system']) ] diff --git a/nova/tests/unit/policies/test_admin_actions.py b/nova/tests/unit/policies/test_admin_actions.py index 8611fb2872..bf0356031e 100644 --- a/nova/tests/unit/policies/test_admin_actions.py +++ b/nova/tests/unit/policies/test_admin_actions.py @@ -97,3 +97,17 @@ class AdminActionsScopeTypePolicyTest(AdminActionsPolicyTest): def setUp(self): super(AdminActionsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to perform the system level actions + # on server. + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that non-system or non-admin is not able to perform the system + # level actions on server. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.system_member_context, + self.system_reader_context, self.system_foo_context, + self.project_admin_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ] |