summaryrefslogtreecommitdiff
path: root/nova/tests/unit/policies/test_hosts.py
diff options
context:
space:
mode:
Diffstat (limited to 'nova/tests/unit/policies/test_hosts.py')
-rw-r--r--nova/tests/unit/policies/test_hosts.py160
1 files changed, 53 insertions, 107 deletions
diff --git a/nova/tests/unit/policies/test_hosts.py b/nova/tests/unit/policies/test_hosts.py
index cdce7d2b1c..e07c907cf8 100644
--- a/nova/tests/unit/policies/test_hosts.py
+++ b/nova/tests/unit/policies/test_hosts.py
@@ -10,7 +10,7 @@
# License for the specific language governing permissions and limitations
# under the License.
-import mock
+from unittest import mock
from nova.api.openstack.compute import hosts
from nova.policies import base as base_policy
@@ -32,37 +32,19 @@ class HostsPolicyTest(base.BasePolicyTest):
self.controller = hosts.HostController()
self.req = fakes.HTTPRequest.blank('')
- # Check that admin is able to perform operations on hosts.
- self.system_admin_authorized_contexts = [
- self.system_admin_context, self.legacy_admin_context,
+ # With legacy rule and scope check disabled by default, system admin,
+ # legacy admin, and project admin will be able to perform hosts
+ # Operations.
+ self.project_admin_authorized_contexts = [
+ self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
- # Check that non-admin is not able to perform operations
- # on hosts.
- self.system_admin_unauthorized_contexts = [
- self.system_member_context, self.system_reader_context,
- self.system_foo_context, self.other_project_member_context,
- self.project_foo_context, self.project_member_context,
- self.project_reader_context, self.other_project_reader_context
- ]
- self.system_reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context, self.legacy_admin_context,
- self.project_admin_context
- ]
- self.system_reader_unauthorized_contexts = [
- self.project_foo_context, self.system_foo_context,
- self.project_member_context, self.project_reader_context,
- self.other_project_member_context,
- self.other_project_reader_context
- ]
@mock.patch('nova.compute.api.HostAPI.service_get_all')
def test_list_hosts_policy(self, mock_get):
rule_name = policies.POLICY_NAME % 'list'
- self.common_policy_check(self.system_reader_authorized_contexts,
- self.system_reader_unauthorized_contexts,
- rule_name, self.controller.index,
- self.req)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.index,
+ self.req)
@mock.patch('nova.context.set_target_cell')
@mock.patch('nova.objects.HostMapping.get_by_host')
@@ -71,41 +53,48 @@ class HostsPolicyTest(base.BasePolicyTest):
@mock.patch('nova.compute.api.HostAPI.instance_get_all_by_host')
def test_show_host_policy(self, mock_get, mock_node, mock_map, mock_set):
rule_name = policies.POLICY_NAME % 'show'
- self.common_policy_check(self.system_reader_authorized_contexts,
- self.system_reader_unauthorized_contexts,
- rule_name, self.controller.show,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.show,
+ self.req, 11111)
def test_update_host_policy(self):
rule_name = policies.POLICY_NAME % 'update'
- self.common_policy_check(self.system_admin_authorized_contexts,
- self.system_admin_unauthorized_contexts,
- rule_name, self.controller.update,
- self.req, 11111, body={})
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.update,
+ self.req, 11111, body={})
@mock.patch('nova.compute.api.HostAPI.host_power_action')
def test_reboot_host_policy(self, mock_action):
rule_name = policies.POLICY_NAME % 'reboot'
- self.common_policy_check(self.system_admin_authorized_contexts,
- self.system_admin_unauthorized_contexts,
- rule_name, self.controller.reboot,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.reboot,
+ self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.host_power_action')
def test_shutdown_host_policy(self, mock_action):
rule_name = policies.POLICY_NAME % 'shutdown'
- self.common_policy_check(self.system_admin_authorized_contexts,
- self.system_admin_unauthorized_contexts,
- rule_name, self.controller.shutdown,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.shutdown,
+ self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.host_power_action')
def test_startup_host_policy(self, mock_action):
rule_name = policies.POLICY_NAME % 'start'
- self.common_policy_check(self.system_admin_authorized_contexts,
- self.system_admin_unauthorized_contexts,
- rule_name, self.controller.startup,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.startup,
+ self.req, 11111)
+
+
+class HostsNoLegacyNoScopePolicyTest(HostsPolicyTest):
+ """Test Hosts APIs policies with no legacy deprecated rules
+ and no scope checks which means new defaults only. In this case
+ system admin, legacy admin, and project admin will be able to perform
+ hosts Operations. Legacy admin will be allowed as policy is just admin
+ if no scope checks.
+
+ """
+
+ without_deprecated_rules = True
class HostsScopeTypePolicyTest(HostsPolicyTest):
@@ -122,72 +111,29 @@ class HostsScopeTypePolicyTest(HostsPolicyTest):
super(HostsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
- # Check that system admin is able to perform operations on hosts.
- self.system_admin_authorized_contexts = [
- self.system_admin_context]
- # Check that system non-admin is not able to perform operations
- # on hosts.
- self.system_admin_unauthorized_contexts = [
- self.legacy_admin_context, self.project_admin_context,
- self.system_member_context, self.system_reader_context,
- self.system_foo_context, self.other_project_member_context,
- self.project_foo_context, self.project_member_context,
- self.project_reader_context, self.other_project_reader_context
- ]
- self.system_reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context
- ]
- self.system_reader_unauthorized_contexts = [
- self.legacy_admin_context, self.project_foo_context,
- self.system_foo_context, self.project_admin_context,
- self.project_member_context, self.project_reader_context,
- self.other_project_member_context,
- self.other_project_reader_context
- ]
-
-
-class HostsNoLegacyPolicyTest(HostsScopeTypePolicyTest):
- """Test Hosts APIs policies with system scope enabled,
- and no more deprecated rules that allow the legacy admin API to
- access system_admin_or_owner APIs.
+ # With scope checks enable, only system admin is able to perform
+ # hosts Operations.
+ self.project_admin_authorized_contexts = [self.legacy_admin_context,
+ self.project_admin_context]
+
+
+class HostsScopeTypeNoLegacyPolicyTest(HostsScopeTypePolicyTest):
+ """Test Hosts APIs policies with with no legacy deprecated rules
+ and scope checks enabled which means scope + new defaults. So
+ only system admin is able to perform hosts Operations.
"""
+
without_deprecated_rules = True
rules_without_deprecation = {
policies.POLICY_NAME % 'list':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
policies.POLICY_NAME % 'show':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
policies.POLICY_NAME % 'update':
- base_policy.SYSTEM_ADMIN,
+ base_policy.ADMIN,
policies.POLICY_NAME % 'reboot':
- base_policy.SYSTEM_ADMIN,
+ base_policy.ADMIN,
policies.POLICY_NAME % 'shutdown':
- base_policy.SYSTEM_ADMIN,
+ base_policy.ADMIN,
policies.POLICY_NAME % 'startup':
- base_policy.SYSTEM_ADMIN}
-
- def setUp(self):
- super(HostsNoLegacyPolicyTest, self).setUp()
-
- self.system_reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context
- ]
- self.system_reader_unauthorized_contexts = [
- self.legacy_admin_context, self.project_foo_context,
- self.system_foo_context, self.project_admin_context,
- self.project_member_context, self.project_reader_context,
- self.other_project_member_context,
- self.other_project_reader_context
- ]
- self.system_admin_authorized_contexts = [
- self.system_admin_context
- ]
- self.system_admin_unauthorized_contexts = [
- self.system_member_context, self.system_reader_context,
- self.project_admin_context, self.project_member_context,
- self.legacy_admin_context, self.other_project_member_context,
- self.project_reader_context, self.project_foo_context,
- self.system_foo_context, self.other_project_reader_context
- ]
+ base_policy.ADMIN}
View Lorry Controller Status