diff options
| author | Dan Smith <dansmith@redhat.com> | 2022-06-28 12:45:13 -0700 |
|---|---|---|
| committer | Ghanshyam <gmann@ghanshyammann.com> | 2022-08-24 13:12:16 +0000 |
| commit | 066e1e69d1394839a9f0bde4ca8c3a0db2d52396 (patch) | |
| tree | e567aa14c2aab367facfb7fdc3c25ee70307b7df | |
| parent | 9a82a90993e7b5a306b15f93a2151322d11c8e32 (diff) | |
| download | nova-066e1e69d1394839a9f0bde4ca8c3a0db2d52396.tar.gz | |
Remove system scope from all APIs
In line with the recent RBAC working group discussion and operator
feedback, this converts all our APIs back to project-only. It leaves
the actual scope_types in place, with them all set to project. This
allows an operator to turn on scope checking to *ensure* that only
project-scoped tokens are used, in case system scope is in use
elsewhere in the deployment (i.e. for keystone or ironic). Without
this, system scoped tokens will fail some operations in strange
(read: 500 and "database error") ways.
Change-Id: I951a11affa1d1e42863967cdc713618ff0a74814
30 files changed, 189 insertions, 155 deletions
diff --git a/nova/policies/aggregates.py b/nova/policies/aggregates.py index 73597f73eb..2775721699 100644 --- a/nova/policies/aggregates.py +++ b/nova/policies/aggregates.py @@ -33,7 +33,7 @@ aggregates_policies = [ 'method': 'POST' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'add_host', check_str=base.ADMIN, @@ -44,7 +44,7 @@ aggregates_policies = [ 'method': 'POST' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', check_str=base.ADMIN, @@ -55,7 +55,7 @@ aggregates_policies = [ 'method': 'POST' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'remove_host', check_str=base.ADMIN, @@ -66,7 +66,7 @@ aggregates_policies = [ 'method': 'POST' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', check_str=base.ADMIN, @@ -77,7 +77,7 @@ aggregates_policies = [ 'method': 'PUT' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', check_str=base.ADMIN, @@ -88,7 +88,7 @@ aggregates_policies = [ 'method': 'GET' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', check_str=base.ADMIN, @@ -99,7 +99,7 @@ aggregates_policies = [ 'method': 'DELETE' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', check_str=base.ADMIN, @@ -110,7 +110,7 @@ aggregates_policies = [ 'method': 'GET' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=NEW_POLICY_ROOT % 'images', check_str=base.ADMIN, @@ -121,7 +121,7 @@ aggregates_policies = [ 'method': 'POST' } ], - scope_types=['system']), + scope_types=['project']), ] diff --git a/nova/policies/availability_zone.py b/nova/policies/availability_zone.py index de78dd864d..9a32c095b2 100644 --- a/nova/policies/availability_zone.py +++ b/nova/policies/availability_zone.py @@ -33,7 +33,7 @@ availability_zone_policies = [ 'path': '/os-availability-zone' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'detail', check_str=base.ADMIN, @@ -45,7 +45,7 @@ availability_zone_policies = [ 'path': '/os-availability-zone/detail' } ], - scope_types=['system']) + scope_types=['project']) ] diff --git a/nova/policies/baremetal_nodes.py b/nova/policies/baremetal_nodes.py index fdce0372b4..8fd66d57ba 100644 --- a/nova/policies/baremetal_nodes.py +++ b/nova/policies/baremetal_nodes.py @@ -49,7 +49,7 @@ These APIs are proxy calls to the Ironic service and are deprecated. 'path': '/os-baremetal-nodes' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_BAREMETAL_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', @@ -61,7 +61,7 @@ These APIs are proxy calls to the Ironic service and are deprecated. 'path': '/os-baremetal-nodes/{node_id}' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_BAREMETAL_POLICY) ] diff --git a/nova/policies/extensions.py b/nova/policies/extensions.py index b049db7a7d..36c3fa0a05 100644 --- a/nova/policies/extensions.py +++ b/nova/policies/extensions.py @@ -37,7 +37,7 @@ extensions_policies = [ 'path': '/extensions/{alias}' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] diff --git a/nova/policies/flavor_access.py b/nova/policies/flavor_access.py index d86e472c2f..e7044d0cec 100644 --- a/nova/policies/flavor_access.py +++ b/nova/policies/flavor_access.py @@ -53,7 +53,7 @@ flavor_access_policies = [ 'path': '/flavors/{flavor_id}/action (addTenantAccess)' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'remove_tenant_access', check_str=base.ADMIN, @@ -64,7 +64,7 @@ flavor_access_policies = [ 'path': '/flavors/{flavor_id}/action (removeTenantAccess)' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, check_str=base.ADMIN, @@ -79,7 +79,7 @@ to a flavor via an os-flavor-access API. 'path': '/flavors/{flavor_id}/os-flavor-access' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY), ] diff --git a/nova/policies/flavor_extra_specs.py b/nova/policies/flavor_extra_specs.py index 06b486bf49..eaa7dd52cb 100644 --- a/nova/policies/flavor_extra_specs.py +++ b/nova/policies/flavor_extra_specs.py @@ -31,7 +31,7 @@ flavor_extra_specs_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', @@ -43,7 +43,7 @@ flavor_extra_specs_policies = [ 'method': 'POST' } ], - scope_types=['system'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', @@ -56,7 +56,7 @@ flavor_extra_specs_policies = [ 'method': 'PUT' } ], - scope_types=['system'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', @@ -69,7 +69,7 @@ flavor_extra_specs_policies = [ 'method': 'DELETE' } ], - scope_types=['system'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', @@ -100,7 +100,7 @@ flavor_extra_specs_policies = [ 'method': 'PUT' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), ] diff --git a/nova/policies/flavor_manage.py b/nova/policies/flavor_manage.py index b7876e8c96..a2ac6d8b21 100644 --- a/nova/policies/flavor_manage.py +++ b/nova/policies/flavor_manage.py @@ -33,7 +33,7 @@ flavor_manage_policies = [ 'path': '/flavors' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', check_str=base.ADMIN, @@ -44,7 +44,7 @@ flavor_manage_policies = [ 'path': '/flavors/{flavor_id}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', check_str=base.ADMIN, @@ -55,7 +55,7 @@ flavor_manage_policies = [ 'path': '/flavors/{flavor_id}' } ], - scope_types=['system']), + scope_types=['project']), ] diff --git a/nova/policies/floating_ip_pools.py b/nova/policies/floating_ip_pools.py index 61105efcb7..dd1d8f6851 100644 --- a/nova/policies/floating_ip_pools.py +++ b/nova/policies/floating_ip_pools.py @@ -32,7 +32,7 @@ floating_ip_pools_policies = [ 'path': '/os-floating-ip-pools' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] diff --git a/nova/policies/hosts.py b/nova/policies/hosts.py index 1505f225ba..04b91a8641 100644 --- a/nova/policies/hosts.py +++ b/nova/policies/hosts.py @@ -48,7 +48,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", 'path': '/os-hosts' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', @@ -62,7 +62,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", 'path': '/os-hosts/{host_name}' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'update', @@ -76,7 +76,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", 'path': '/os-hosts/{host_name}' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'reboot', @@ -90,7 +90,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", 'path': '/os-hosts/{host_name}/reboot' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'shutdown', @@ -104,7 +104,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", 'path': '/os-hosts/{host_name}/shutdown' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'start', @@ -118,7 +118,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", 'path': '/os-hosts/{host_name}/startup' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/hypervisors.py b/nova/policies/hypervisors.py index 92bb12e90f..f4f29d1e1b 100644 --- a/nova/policies/hypervisors.py +++ b/nova/policies/hypervisors.py @@ -45,7 +45,7 @@ hypervisors_policies = [ 'method': 'GET' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list-detail', @@ -57,7 +57,7 @@ hypervisors_policies = [ 'method': 'GET' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'statistics', @@ -70,7 +70,7 @@ hypervisors_policies = [ 'method': 'GET' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', @@ -82,7 +82,7 @@ hypervisors_policies = [ 'method': 'GET' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'uptime', @@ -94,7 +94,7 @@ hypervisors_policies = [ 'method': 'GET' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'search', @@ -106,7 +106,7 @@ hypervisors_policies = [ 'method': 'GET' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'servers', @@ -120,7 +120,7 @@ hypervisors_policies = [ 'method': 'GET' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY ), ] diff --git a/nova/policies/instance_usage_audit_log.py b/nova/policies/instance_usage_audit_log.py index f93ace08c1..7884134e4a 100644 --- a/nova/policies/instance_usage_audit_log.py +++ b/nova/policies/instance_usage_audit_log.py @@ -44,7 +44,7 @@ instance_usage_audit_log_policies = [ 'path': '/os-instance_usage_audit_log' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', @@ -59,7 +59,7 @@ instance_usage_audit_log_policies = [ 'path': '/os-instance_usage_audit_log/{before_timestamp}' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/keypairs.py b/nova/policies/keypairs.py index b0ee4a8906..a42ee6302b 100644 --- a/nova/policies/keypairs.py +++ b/nova/policies/keypairs.py @@ -31,7 +31,7 @@ keypairs_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', check_str='(' + base.ADMIN + ') or user_id:%(user_id)s', @@ -42,7 +42,7 @@ keypairs_policies = [ 'method': 'POST' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', check_str='(' + base.ADMIN + ') or user_id:%(user_id)s', @@ -53,7 +53,7 @@ keypairs_policies = [ 'method': 'DELETE' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', check_str='(' + base.ADMIN + ') or user_id:%(user_id)s', @@ -64,7 +64,7 @@ keypairs_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] diff --git a/nova/policies/quota_class_sets.py b/nova/policies/quota_class_sets.py index e9d22d2f68..b01102b44e 100644 --- a/nova/policies/quota_class_sets.py +++ b/nova/policies/quota_class_sets.py @@ -32,7 +32,7 @@ quota_class_sets_policies = [ 'path': '/os-quota-class-sets/{quota_class}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', check_str=base.ADMIN, @@ -43,7 +43,7 @@ quota_class_sets_policies = [ 'path': '/os-quota-class-sets/{quota_class}' } ], - scope_types=['system']), + scope_types=['project']), ] diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py index 2aa7439390..a44c6fa918 100644 --- a/nova/policies/quota_sets.py +++ b/nova/policies/quota_sets.py @@ -43,7 +43,7 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}/defaults' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', # TODO(gmann): Until we have domain admin or so to get other project's diff --git a/nova/policies/services.py b/nova/policies/services.py index 8174bf92df..7300d3bdb3 100644 --- a/nova/policies/services.py +++ b/nova/policies/services.py @@ -45,7 +45,7 @@ services_policies = [ 'path': '/os-services' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_SERVICE_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', @@ -58,7 +58,7 @@ services_policies = [ 'path': '/os-services/{service_id}' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_SERVICE_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', @@ -70,7 +70,7 @@ services_policies = [ 'path': '/os-services/{service_id}' } ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_SERVICE_POLICY), ] diff --git a/nova/tests/unit/policies/test_aggregates.py b/nova/tests/unit/policies/test_aggregates.py index 8aaf0a6101..6ac7b6e010 100644 --- a/nova/tests/unit/policies/test_aggregates.py +++ b/nova/tests/unit/policies/test_aggregates.py @@ -35,14 +35,14 @@ class AggregatesPolicyTest(base.BasePolicyTest): # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to perform Aggregate # Operations. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] @mock.patch('nova.compute.api.AggregateAPI.get_aggregate_list') def test_list_aggregate_policy(self, mock_list): rule_name = "os_compute_api:os-aggregates:index" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.index, self.req) @@ -55,7 +55,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): "hosts": ["host1", "host2"]}) body = {"aggregate": {"name": "test", "availability_zone": "nova1"}} - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.create, self.req, body=body) @@ -63,7 +63,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.AggregateAPI.update_aggregate') def test_update_aggregate_policy(self, mock_update): rule_name = "os_compute_api:os-aggregates:update" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.update, self.req, 1, body={"aggregate": {"name": "new_name"}}) @@ -71,7 +71,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.AggregateAPI.delete_aggregate') def test_delete_aggregate_policy(self, mock_delete): rule_name = "os_compute_api:os-aggregates:delete" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.delete, self.req, 1) @@ -79,7 +79,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.AggregateAPI.get_aggregate') def test_show_aggregate_policy(self, mock_show): rule_name = "os_compute_api:os-aggregates:show" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.show, self.req, 1) @@ -87,7 +87,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): def test_set_metadata_aggregate_policy(self, mock_metadata): rule_name = "os_compute_api:os-aggregates:set_metadata" body = {"set_metadata": {"metadata": {"foo": "bar"}}} - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller._set_metadata, self.req, 1, body=body) @@ -95,7 +95,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.AggregateAPI.add_host_to_aggregate') def test_add_host_aggregate_policy(self, mock_add): rule_name = "os_compute_api:os-aggregates:add_host" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller._add_host, self.req, 1, body={"add_host": {"host": "host1"}}) @@ -103,7 +103,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.AggregateAPI.remove_host_from_aggregate') def test_remove_host_aggregate_policy(self, mock_remove): rule_name = "os_compute_api:os-aggregates:remove_host" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller._remove_host, self.req, 1, @@ -118,7 +118,7 @@ class AggregatesPolicyTest(base.BasePolicyTest): body = {'cache': [{'id': uuids.fake_id}]} req = fakes.HTTPRequest.blank('', version='2.81') with mock.patch('nova.conductor.api.ComputeTaskAPI.cache_images'): - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.images, req, 1, body=body) @@ -149,9 +149,10 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest): super(AggregatesScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # With scope checks enable, only system admin is able to perform - # Aggregate Operations. - self.system_admin_authorized_contexts = [self.system_admin_context] + # With scope checks enabled, only project-scoped admins are + # able to perform Aggregate Operations. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class AggregatesScopeTypeNoLegacyPolicyTest(AggregatesScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_availability_zone.py b/nova/tests/unit/policies/test_availability_zone.py index d021cc14d8..1852f8444c 100644 --- a/nova/tests/unit/policies/test_availability_zone.py +++ b/nova/tests/unit/policies/test_availability_zone.py @@ -34,20 +34,21 @@ class AvailabilityZonePolicyTest(base.BasePolicyTest): # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to get AZ with host # information. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] + self.project_authorized_contexts = self.all_contexts @mock.patch('nova.objects.Instance.save') def test_availability_zone_list_policy(self, mock_save): rule_name = "os_compute_api:os-availability-zone:list" - self.common_policy_auth(self.all_contexts, + self.common_policy_auth(self.project_authorized_contexts, rule_name, self.controller.index, self.req) def test_availability_zone_detail_policy(self): rule_name = "os_compute_api:os-availability-zone:detail" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.detail, self.req) @@ -79,9 +80,11 @@ class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest): super(AvailabilityZoneScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # With scope checks enable, only system admin is able to get - # AZ with host information. - self.system_admin_authorized_contexts = [self.system_admin_context] + # With scope checks enable, only project-scoped admins are + # able to get AZ with host information. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] + self.project_authorized_contexts = self.all_project_contexts class AZScopeTypeNoLegacyPolicyTest(AvailabilityZoneScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_baremetal_nodes.py b/nova/tests/unit/policies/test_baremetal_nodes.py index 7a045b2ff0..68f02087c4 100644 --- a/nova/tests/unit/policies/test_baremetal_nodes.py +++ b/nova/tests/unit/policies/test_baremetal_nodes.py @@ -43,13 +43,13 @@ class BaremetalNodesPolicyTest(base.BasePolicyTest): lambda *_: FAKE_IRONIC_CLIENT) # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to get baremetal nodes. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] def test_index_nodes_policy(self): rule_name = "os_compute_api:os-baremetal-nodes:list" - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.index, self.req) @@ -62,7 +62,7 @@ class BaremetalNodesPolicyTest(base.BasePolicyTest): mock_get.return_value = node mock_port.return_value = [] - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.show, self.req, uuids.fake_id) @@ -95,9 +95,10 @@ class BaremetalNodesScopeTypePolicyTest(BaremetalNodesPolicyTest): super(BaremetalNodesScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # With scope checks enable, only system admin is able to get - # baremetal nodes. - self.system_admin_authorized_contexts = [self.system_admin_context] + # With scope checks enable, only project-scoped admins are + # able to get baremetal nodes. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class BNScopeTypeNoLegacyPolicyTest(BaremetalNodesScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_extensions.py b/nova/tests/unit/policies/test_extensions.py index 7865ececba..d2e3c6adde 100644 --- a/nova/tests/unit/policies/test_extensions.py +++ b/nova/tests/unit/policies/test_extensions.py @@ -71,6 +71,16 @@ class ExtensionsScopeTypePolicyTest(ExtensionsPolicyTest): def setUp(self): super(ExtensionsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + self.everyone_authorized_contexts = [ + self.legacy_admin_context, + self.project_admin_context, self.project_member_context, + self.project_reader_context, self.project_foo_context, + self.other_project_reader_context, + self.other_project_member_context + ] + self.everyone_unauthorized_contexts = [ + self.system_admin_context, self.system_member_context, + self.system_reader_context, self.system_foo_context] class ExtensionsNoLegacyPolicyTest(ExtensionsScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_flavor_access.py b/nova/tests/unit/policies/test_flavor_access.py index 7a3ebf96cb..cfdbbd2470 100644 --- a/nova/tests/unit/policies/test_flavor_access.py +++ b/nova/tests/unit/policies/test_flavor_access.py @@ -122,12 +122,11 @@ class FlavorAccessScopeTypePolicyTest(FlavorAccessPolicyTest): super(FlavorAccessScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Scope checks remove project users power. + # Scope checks remove system users' power. self.admin_authorized_contexts = [ - self.system_admin_context] - self.admin_index_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context] + self.legacy_admin_context, + self.project_admin_context] + self.admin_index_authorized_contexts = self.all_project_contexts class FlavorAccessScopeTypeNoLegacyPolicyTest(FlavorAccessScopeTypePolicyTest): @@ -146,5 +145,9 @@ class FlavorAccessScopeTypeNoLegacyPolicyTest(FlavorAccessScopeTypePolicyTest): def setUp(self): super(FlavorAccessScopeTypeNoLegacyPolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - self.admin_index_authorized_contexts = [ - self.system_admin_context] + + # New defaults make this admin-only + self.admin_authorized_contexts = [ + self.legacy_admin_context, + self.project_admin_context] + self.admin_index_authorized_contexts = self.admin_authorized_contexts diff --git a/nova/tests/unit/policies/test_flavor_extra_specs.py b/nova/tests/unit/policies/test_flavor_extra_specs.py index fdb93e6a7c..f3c8cacd57 100644 --- a/nova/tests/unit/policies/test_flavor_extra_specs.py +++ b/nova/tests/unit/policies/test_flavor_extra_specs.py @@ -57,7 +57,7 @@ class FlavorExtraSpecsPolicyTest(base.BasePolicyTest): # In the base/legacy case, all project and system contexts are # authorized in the case of things that distinguish between # scopes, since scope checking is disabled. - self.all_system_authorized_contexts = (self.all_project_contexts | + self.all_project_authorized_contexts = (self.all_project_contexts | self.all_system_contexts) # In the base/legacy case, any admin is an admin. @@ -167,7 +167,7 @@ class FlavorExtraSpecsPolicyTest(base.BasePolicyTest): } } authorize_res, unauthorize_res = self.common_policy_auth( - self.all_system_authorized_contexts, + self.all_project_authorized_contexts, rule_name, self.fm_ctrl._create, req, body=body, fatal=False) for resp in authorize_res: @@ -187,7 +187,7 @@ class FlavorExtraSpecsPolicyTest(base.BasePolicyTest): req = fakes.HTTPRequest.blank('', version='2.61') authorize_res, unauthorize_res = self.common_policy_auth( - self.all_system_authorized_contexts, + self.all_project_authorized_contexts, rule_name, self.fm_ctrl._update, req, '1', body={'flavor': {'description': None}}, fatal=False) @@ -211,11 +211,13 @@ class FlavorExtraSpecsScopeTypePolicyTest(FlavorExtraSpecsPolicyTest): super(FlavorExtraSpecsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Only system users are authorized for system APIs - self.all_system_authorized_contexts = self.all_system_contexts + # Only project users are authorized + self.reduce_set('all_project_authorized', self.all_project_contexts) + self.reduce_set('all_authorized', self.all_project_contexts) - # Only system_admin can do system admin things - self.admin_authorized_contexts = [self.system_admin_context] + # Only admins can do admin things + self.admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class FlavorExtraSpecsNoLegacyNoScopeTest(FlavorExtraSpecsPolicyTest): @@ -235,7 +237,7 @@ class FlavorExtraSpecsNoLegacyNoScopeTest(FlavorExtraSpecsPolicyTest): self.system_foo_context, self.project_foo_context, ]) - self.reduce_set('all_system_authorized', everything_but_foo) + self.reduce_set('all_project_authorized', everything_but_foo) self.reduce_set('all_authorized', everything_but_foo) @@ -252,11 +254,10 @@ class FlavorExtraSpecsNoLegacyPolicyTest(FlavorExtraSpecsScopeTypePolicyTest): # contexts. With scope checking enabled, project and system # contexts stay separate. self.reduce_set( - 'all_system_authorized', - self.all_system_contexts - set([self.system_foo_context])) - everything_but_foo = ( - self.all_project_contexts | self.all_system_contexts) - set([ - self.system_foo_context, + 'all_project_authorized', + self.all_project_contexts - set([self.project_foo_context])) + everything_but_foo_and_system = ( + self.all_contexts - set([ self.project_foo_context, - ]) - self.reduce_set('all_authorized', everything_but_foo) + ]) - self.all_system_contexts) + self.reduce_set('all_authorized', everything_but_foo_and_system) diff --git a/nova/tests/unit/policies/test_flavor_manage.py b/nova/tests/unit/policies/test_flavor_manage.py index 0422469a11..0663a689cb 100644 --- a/nova/tests/unit/policies/test_flavor_manage.py +++ b/nova/tests/unit/policies/test_flavor_manage.py @@ -105,10 +105,11 @@ class FlavorManageScopeTypePolicyTest(FlavorManagePolicyTest): super(FlavorManageScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # With scope enable, only system admin is able to manage + # With scope enabled, only project admin is able to manage # the flavors. self.admin_authorized_contexts = [ - self.system_admin_context] + self.legacy_admin_context, + self.project_admin_context] class FlavorManageScopeTypeNoLegacyPolicyTest( diff --git a/nova/tests/unit/policies/test_floating_ip_pools.py b/nova/tests/unit/policies/test_floating_ip_pools.py index 22fca84bbd..551f482bd4 100644 --- a/nova/tests/unit/policies/test_floating_ip_pools.py +++ b/nova/tests/unit/policies/test_floating_ip_pools.py @@ -32,15 +32,15 @@ class FloatingIPPoolsPolicyTest(base.BasePolicyTest): self.req = fakes.HTTPRequest.blank('') # Check that everyone is able to list FIP pools. - self.everyone_authorized_contexts = [ + self.everyone_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.other_project_reader_context, self.other_project_member_context, self.system_member_context, self.system_reader_context, - self.system_foo_context] - self.everyone_unauthorized_contexts = [] + self.system_foo_context]) + self.everyone_unauthorized_contexts = set([]) @mock.patch('nova.network.neutron.API.get_floating_ip_pools') def test_floating_ip_pools_policy(self, mock_get): @@ -66,6 +66,10 @@ class FloatingIPPoolsScopeTypePolicyTest(FloatingIPPoolsPolicyTest): super(FloatingIPPoolsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + self.reduce_set('everyone_authorized', self.all_project_contexts) + self.everyone_unauthorized_contexts = ( + self.all_contexts - self.everyone_authorized_contexts) + class FloatingIPPoolsNoLegacyPolicyTest(FloatingIPPoolsScopeTypePolicyTest): """Test Floating IP Pools APIs policies with system scope enabled, diff --git a/nova/tests/unit/policies/test_hosts.py b/nova/tests/unit/policies/test_hosts.py index a5147dab82..e07c907cf8 100644 --- a/nova/tests/unit/policies/test_hosts.py +++ b/nova/tests/unit/policies/test_hosts.py @@ -35,14 +35,14 @@ class HostsPolicyTest(base.BasePolicyTest): # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to perform hosts # Operations. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] @mock.patch('nova.compute.api.HostAPI.service_get_all') def test_list_hosts_policy(self, mock_get): rule_name = policies.POLICY_NAME % 'list' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.index, self.req) @@ -53,34 +53,34 @@ class HostsPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.HostAPI.instance_get_all_by_host') def test_show_host_policy(self, mock_get, mock_node, mock_map, mock_set): rule_name = policies.POLICY_NAME % 'show' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.show, self.req, 11111) def test_update_host_policy(self): rule_name = policies.POLICY_NAME % 'update' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.update, self.req, 11111, body={}) @mock.patch('nova.compute.api.HostAPI.host_power_action') def test_reboot_host_policy(self, mock_action): rule_name = policies.POLICY_NAME % 'reboot' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.reboot, self.req, 11111) @mock.patch('nova.compute.api.HostAPI.host_power_action') def test_shutdown_host_policy(self, mock_action): rule_name = policies.POLICY_NAME % 'shutdown' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.shutdown, self.req, 11111) @mock.patch('nova.compute.api.HostAPI.host_power_action') def test_startup_host_policy(self, mock_action): rule_name = policies.POLICY_NAME % 'start' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.startup, self.req, 11111) @@ -113,7 +113,8 @@ class HostsScopeTypePolicyTest(HostsPolicyTest): # With scope checks enable, only system admin is able to perform # hosts Operations. - self.system_admin_authorized_contexts = [self.system_admin_context] + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class HostsScopeTypeNoLegacyPolicyTest(HostsScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_hypervisors.py b/nova/tests/unit/policies/test_hypervisors.py index fbdf805fce..dd17ebe2fe 100644 --- a/nova/tests/unit/policies/test_hypervisors.py +++ b/nova/tests/unit/policies/test_hypervisors.py @@ -39,51 +39,51 @@ class HypervisorsPolicyTest(base.BasePolicyTest): # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to perform hypervisors # Operations. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] def test_list_hypervisors_policy(self): rule_name = hv_policies.BASE_POLICY_NAME % 'list' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.index, self.req) def test_list_details_hypervisors_policy(self): rule_name = hv_policies.BASE_POLICY_NAME % 'list-detail' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.detail, self.req) def test_show_hypervisors_policy(self): rule_name = hv_policies.BASE_POLICY_NAME % 'show' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.show, self.req, 11111) @mock.patch('nova.compute.api.HostAPI.get_host_uptime') def test_uptime_hypervisors_policy(self, mock_uptime): rule_name = hv_policies.BASE_POLICY_NAME % 'uptime' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.uptime, self.req, 11111) def test_search_hypervisors_policy(self): rule_name = hv_policies.BASE_POLICY_NAME % 'search' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.search, self.req, 11111) def test_servers_hypervisors_policy(self): rule_name = hv_policies.BASE_POLICY_NAME % 'servers' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.servers, self.req, 11111) @mock.patch('nova.compute.api.HostAPI.compute_node_statistics') def test_statistics_hypervisors_policy(self, mock_statistics): rule_name = hv_policies.BASE_POLICY_NAME % 'statistics' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.statistics, self.req) @@ -115,7 +115,8 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest): # With scope checks enable, only system admin is able to perform # hypervisors Operations. - self.system_admin_authorized_contexts = [self.system_admin_context] + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class HypervisorsScopeTypeNoLegacyPolicyTest(HypervisorsScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_instance_usage_audit_log.py b/nova/tests/unit/policies/test_instance_usage_audit_log.py index 311a404075..71b0cdd2aa 100644 --- a/nova/tests/unit/policies/test_instance_usage_audit_log.py +++ b/nova/tests/unit/policies/test_instance_usage_audit_log.py @@ -85,7 +85,8 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest): # Scope checks remove project users power. self.admin_authorized_contexts = [ - self.system_admin_context] + self.legacy_admin_context, + self.project_admin_context] class InstanceUsageScopeTypeNoLegacyPolicyTest( diff --git a/nova/tests/unit/policies/test_keypairs.py b/nova/tests/unit/policies/test_keypairs.py index b30d5e2455..ee39133b7a 100644 --- a/nova/tests/unit/policies/test_keypairs.py +++ b/nova/tests/unit/policies/test_keypairs.py @@ -35,7 +35,7 @@ class KeypairsPolicyTest(base.BasePolicyTest): # Check that everyone is able to create, delete and get # their keypairs. - self.everyone_authorized_contexts = [ + self.everyone_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.system_member_context, self.system_reader_context, @@ -43,13 +43,13 @@ class KeypairsPolicyTest(base.BasePolicyTest): self.project_reader_context, self.project_foo_context, self.other_project_member_context, self.other_project_reader_context, - ] + ]) # Check that admin is able to create, delete and get # other users keypairs. - self.admin_authorized_contexts = [ + self.admin_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, - self.project_admin_context] + self.project_admin_context]) @mock.patch('nova.compute.api.KeypairAPI.get_key_pairs') def test_index_keypairs_policy(self, mock_get): @@ -152,6 +152,12 @@ class KeypairsScopeTypePolicyTest(KeypairsPolicyTest): super(KeypairsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + # With scope checking, only project-scoped users are allowed + self.reduce_set('everyone_authorized', self.all_project_contexts) + self.admin_authorized_contexts = [ + self.legacy_admin_context, + self.project_admin_context] + class KeypairsNoLegacyPolicyTest(KeypairsScopeTypePolicyTest): """Test Keypairs APIs policies with system scope enabled, diff --git a/nova/tests/unit/policies/test_quota_class_sets.py b/nova/tests/unit/policies/test_quota_class_sets.py index d008092a95..09b90d5ebc 100644 --- a/nova/tests/unit/policies/test_quota_class_sets.py +++ b/nova/tests/unit/policies/test_quota_class_sets.py @@ -34,7 +34,7 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to get, update quota # class. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] @@ -46,7 +46,7 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): 'ram': 51200, 'floating_ips': -1, 'fixed_ips': -1, 'instances': 10, 'injected_files': 5, 'cores': 20}} - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.update, self.req, 'test_class', @@ -55,7 +55,7 @@ class QuotaClassSetsPolicyTest(base.BasePolicyTest): @mock.patch('nova.quota.QUOTAS.get_class_quotas') def test_show_quota_class_sets_policy(self, mock_get): rule_name = policies.POLICY_ROOT % 'show' - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.show, self.req, 'test_class') @@ -86,9 +86,10 @@ class QuotaClassSetsScopeTypePolicyTest(QuotaClassSetsPolicyTest): super(QuotaClassSetsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # With scope checks enable, only system admin is able to update - # and get quota class. - self.system_admin_authorized_contexts = [self.system_admin_context] + # With scope checks enable, only project admins are able to + # update and get quota class. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class QuotaClassScopeTypeNoLegacyPolicyTest(QuotaClassSetsScopeTypePolicyTest): diff --git a/nova/tests/unit/policies/test_quota_sets.py b/nova/tests/unit/policies/test_quota_sets.py index 64932b7fa4..3ff8cd1c02 100644 --- a/nova/tests/unit/policies/test_quota_sets.py +++ b/nova/tests/unit/policies/test_quota_sets.py @@ -36,27 +36,27 @@ class QuotaSetsPolicyTest(base.BasePolicyTest): # With legacy rule all admin is able to update or revert their quota # to default or get other project quota. - self.project_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, - self.project_admin_context] + self.project_admin_context]) # With legacy rule, everyone is able to get their own quota. - self.project_reader_authorized_contexts = [ + self.project_reader_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.system_member_context, self.system_reader_context, self.system_foo_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.other_project_member_context, - self.other_project_reader_context] + self.other_project_reader_context]) # Everyone is able to get the default quota - self.everyone_authorized_contexts = [ + self.everyone_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.system_member_context, self.system_reader_context, self.system_foo_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.other_project_member_context, - self.other_project_reader_context] + self.other_project_reader_context]) @mock.patch('nova.quota.QUOTAS.get_project_quotas') @mock.patch('nova.quota.QUOTAS.get_settable_quotas') @@ -176,16 +176,13 @@ class QuotaSetsScopeTypePolicyTest(QuotaSetsPolicyTest): super(QuotaSetsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # With scope enable, system users will be disallowed. - self.project_admin_authorized_contexts = [ + # With scope enabled, system users will be disallowed. + self.reduce_set('project_admin_authorized', set([ self.legacy_admin_context, - self.project_admin_context] - self.project_reader_authorized_contexts = [ - self.legacy_admin_context, self.project_admin_context, - self.project_member_context, self.project_reader_context, - self.project_foo_context, - self.other_project_member_context, - self.other_project_reader_context] + self.project_admin_context])) + self.reduce_set('project_reader_authorized', + self.all_project_contexts) + self.everyone_authorized_contexts = self.all_project_contexts class QuotaSetsScopeTypeNoLegacyPolicyTest(QuotaSetsScopeTypePolicyTest): @@ -197,6 +194,8 @@ class QuotaSetsScopeTypeNoLegacyPolicyTest(QuotaSetsScopeTypePolicyTest): def setUp(self): super(QuotaSetsScopeTypeNoLegacyPolicyTest, self).setUp() - self.project_reader_authorized_contexts = [ - self.legacy_admin_context, self.project_admin_context, - self.project_member_context, self.project_reader_context] + # With scope enabled and no legacy, system and + # non-reader/member users are disallowed. + self.reduce_set('project_reader_authorized', + self.all_project_contexts - + set([self.project_foo_context])) diff --git a/nova/tests/unit/policies/test_services.py b/nova/tests/unit/policies/test_services.py index 5a77b559ba..72465eb748 100644 --- a/nova/tests/unit/policies/test_services.py +++ b/nova/tests/unit/policies/test_services.py @@ -35,21 +35,21 @@ class ServicesPolicyTest(base.BasePolicyTest): # With legacy rule and scope check disabled by default, system admin, # legacy admin, and project admin will be able to perform Services # Operations. - self.system_admin_authorized_contexts = [ + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] def test_delete_service_policy(self): rule_name = "os_compute_api:os-services:delete" with mock.patch('nova.compute.api.HostAPI.service_get_by_id'): - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.delete, self.req, 1) def test_index_service_policy(self): rule_name = "os_compute_api:os-services:list" with mock.patch('nova.compute.api.HostAPI.service_get_all'): - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.index, self.req) @@ -58,7 +58,7 @@ class ServicesPolicyTest(base.BasePolicyTest): body = {'host': 'host1', 'binary': 'nova-compute'} update = 'nova.compute.api.HostAPI.service_update_by_host_and_binary' with mock.patch(update): - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.update, self.req, 'enable', body=body) @@ -69,7 +69,7 @@ class ServicesPolicyTest(base.BasePolicyTest): service = self.start_service( 'compute', 'fake-compute-host').service_ref with mock.patch('nova.compute.api.HostAPI.service_update'): - self.common_policy_auth(self.system_admin_authorized_contexts, + self.common_policy_auth(self.project_admin_authorized_contexts, rule_name, self.controller.update, req, service.uuid, body={'status': 'enabled'}) @@ -107,7 +107,8 @@ class ServicesScopeTypePolicyTest(ServicesPolicyTest): # With scope checks enable, only system admin is able to perform # Service Operations. - self.system_admin_authorized_contexts = [self.system_admin_context] + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] class ServicesScopeTypeNoLegacyPolicyTest(ServicesScopeTypePolicyTest): |