Add new default roles in quota class policies

This adds new defaults roles in quota class API policies. as SYSTEM_ADMIN Removing the quota_class from check_str as those were half implemented feature from rackspace use case. We do not pass the quota_class in context as well as in context.to_policy_values() due to that it does not work in current implementation. Also add tests to simulates the future where we drop the deprecation fall back in the policy by overriding the rules with a version where there are no deprecated rule options. Operators can do the same by adding overrides in their policy files that match the default but stop the rule deprecation fallback from happening. Partial implement blueprint policy-defaults-refresh Change-Id: I03f44320368da40281849ca509b55149e7ff14bf
author: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-04-10 15:17:56 -0500
committer: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-04-14 12:41:59 -0500
commit: b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d (patch)
tree: e1f6ecccb4714185a0276432085b0c469de5ba3e /nova/tests/unit/policies/test_quota_class_sets.py
parent: 3fc5c250e06d97a19bda1bdbcc024fb3fa2c3133 (diff)
download: nova-b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d.tar.gz
1 files changed, 37 insertions, 4 deletions
diff --git a/nova/tests/unit/policies/test_quota_class_sets.py b/nova/tests/unit/policies/test_quota_class_sets.py
index 71471fae42..4f9b228bc8 100644
--- a/nova/tests/unit/policies/test_quota_class_sets.py
+++ b/nova/tests/unit/policies/test_quota_class_sets.py
@@ -31,17 +31,28 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
         self.controller = quota_classes.QuotaClassSetsController()
         self.req = fakes.HTTPRequest.blank('')
 
-        # Check that admin is able to update and get quota class
+        # Check that admin is able to update quota class
         self.admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
             self.project_admin_context]
-        # Check that non-admin is not able to update and get quota class
+        # Check that non-admin is not able to update quota class
         self.admin_unauthorized_contexts = [
             self.system_member_context, self.system_reader_context,
             self.system_foo_context, self.project_member_context,
             self.project_reader_context, self.project_foo_context,
             self.other_project_member_context
         ]
+        # Check that system reader is able to get quota class
+        self.system_reader_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system reader is not able to get quota class
+        self.system_reader_unauthorized_contexts = [
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]
 
     @mock.patch('nova.objects.Quotas.update_class')
     def test_update_quota_class_sets_policy(self, mock_update):
@@ -61,8 +72,8 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest):
     @mock.patch('nova.quota.QUOTAS.get_class_quotas')
     def test_show_quota_class_sets_policy(self, mock_get):
         rule_name = policies.POLICY_ROOT % 'show'
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
+        self.common_policy_check(self.system_reader_authorized_contexts,
+                                 self.system_reader_unauthorized_contexts,
                                  rule_name,
                                  self.controller.show,
                                  self.req, 'test_class')
@@ -92,3 +103,25 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest):
             self.project_reader_context, self.project_foo_context,
             self.other_project_member_context
         ]
+        # Check that system reader is able to get quota class
+        self.system_reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system reader is not able to get quota class
+        self.system_reader_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]
+
+
+class QuotaClassSetsNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest):
+    """Test Quota Class Sets APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(QuotaClassSetsNoLegacyPolicyTest, self).setUp()
author	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-04-10 15:17:56 -0500
committer	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-04-14 12:41:59 -0500
commit	b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d (patch)
tree	e1f6ecccb4714185a0276432085b0c469de5ba3e /nova/tests/unit/policies/test_quota_class_sets.py
parent	3fc5c250e06d97a19bda1bdbcc024fb3fa2c3133 (diff)
download	nova-b32860b7732d4f7e6dfc1cf2b10e558ba2c14b4d.tar.gz