diff options
| author | yuntong <yuntongjin@gmail.com> | 2015-02-26 16:49:29 +0800 |
|---|---|---|
| committer | He Jie Xu <hejie.xu@intel.com> | 2015-03-16 11:33:51 +0800 |
| commit | 73ff0edb2ad79bd6849b64cec562290775d3cccc (patch) | |
| tree | a8eaadf0c883a749a9fd291aad9d549cdec8e6e1 | |
| parent | 973ca44db7d9c55df9366da6b6f36f5169b5d19e (diff) | |
| download | nova-73ff0edb2ad79bd6849b64cec562290775d3cccc.tar.gz | |
Move policy enforcement into REST API layer for v2.1 api volume_attachment
This patch moves policy enforement into REST API layer
for v2.1 api volume_attachment, and adds unit tests.
Partially implements blueprint v3-api-policy
Change-Id: Ia069d12f5fb9d6efb22e14a8656dc913d5a23cb6
| -rw-r--r-- | nova/api/openstack/compute/plugins/v3/volumes.py | 7 | ||||
| -rw-r--r-- | nova/tests/unit/api/openstack/compute/contrib/test_volumes.py | 77 |
2 files changed, 80 insertions, 4 deletions
diff --git a/nova/api/openstack/compute/plugins/v3/volumes.py b/nova/api/openstack/compute/plugins/v3/volumes.py index f5140ad464..37b781f3e5 100644 --- a/nova/api/openstack/compute/plugins/v3/volumes.py +++ b/nova/api/openstack/compute/plugins/v3/volumes.py @@ -30,9 +30,8 @@ from nova import objects from nova import volume ALIAS = "os-volumes" -authorize = extensions.extension_authorizer('compute', 'v3:' + ALIAS) -authorize_attach = extensions.extension_authorizer('compute', - 'v3:os-volumes-attachments') +authorize = extensions.os_compute_authorizer(ALIAS) +authorize_attach = extensions.os_compute_authorizer('os-volumes-attachments') def _translate_volume_detail_view(context, vol): @@ -217,7 +216,7 @@ class VolumeAttachmentController(wsgi.Controller): """ def __init__(self): - self.compute_api = compute.API() + self.compute_api = compute.API(skip_policy_check=True) self.volume_api = volume.API() super(VolumeAttachmentController, self).__init__() diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py b/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py index cb36b35f43..5c32de2da6 100644 --- a/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py +++ b/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py @@ -856,3 +856,80 @@ class TestAssistedVolumeSnapshotsPolicyEnforcementV21(test.NoDBTestCase): self.assertEqual( "Policy doesn't allow %s to be performed." % rule_name, exc.format_message()) + + +class TestVolumeAttachPolicyEnforcementV21(test.NoDBTestCase): + + def setUp(self): + super(TestVolumeAttachPolicyEnforcementV21, self).setUp() + self.controller = volumes_v21.VolumeAttachmentController() + self.req = fakes.HTTPRequest.blank('') + + def _common_policy_check(self, rules, rule_name, func, *arg, **kwarg): + self.policy.set_rules(rules) + exc = self.assertRaises( + exception.PolicyNotAuthorized, func, *arg, **kwarg) + self.assertEqual( + "Policy doesn't allow %s to be performed." % rule_name, + exc.format_message()) + + def test_index_volume_attach_policy_failed(self): + rule_name = "compute_extension:v3:os-volumes-attachments:index" + rules = {rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, + self.controller.index, self.req, FAKE_UUID) + + def test_show_volume_attach_policy_failed(self): + rule_name = "compute_extension:v3:os-volumes" + rules = {"compute_extension:v3:os-volumes-attachments:show": "@", + rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, self.controller.show, + self.req, FAKE_UUID, FAKE_UUID_A) + + rule_name = "compute_extension:v3:os-volumes-attachments:show" + rules = {"compute_extension:v3:os-volumes": "@", + rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, self.controller.show, + self.req, FAKE_UUID, FAKE_UUID_A) + + def test_create_volume_attach_policy_failed(self): + rule_name = "compute_extension:v3:os-volumes" + rules = {"compute_extension:v3:os-volumes-attachments:create": "@", + rule_name: "project:non_fake"} + body = {'volumeAttachment': {'volumeId': FAKE_UUID_A, + 'device': '/dev/fake'}} + self._common_policy_check(rules, rule_name, self.controller.create, + self.req, FAKE_UUID, body=body) + + rule_name = "compute_extension:v3:os-volumes-attachments:create" + rules = {"compute_extension:v3:os-volumes": "@", + rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, self.controller.create, + self.req, FAKE_UUID, body=body) + + def test_update_volume_attach_policy_failed(self): + rule_name = "compute_extension:v3:os-volumes" + rules = {"compute_extension:v3:os-volumes-attachments:update": "@", + rule_name: "project:non_fake"} + body = {'volumeAttachment': {'volumeId': FAKE_UUID_B}} + self._common_policy_check(rules, rule_name, self.controller.update, + self.req, FAKE_UUID, FAKE_UUID_A, body=body) + + rule_name = "compute_extension:v3:os-volumes-attachments:update" + rules = {"compute_extension:v3:os-volumes": "@", + rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, self.controller.update, + self.req, FAKE_UUID, FAKE_UUID_A, body=body) + + def test_delete_volume_attach_policy_failed(self): + rule_name = "compute_extension:v3:os-volumes" + rules = {"compute_extension:v3:os-volumes-attachments:delete": "@", + rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, self.controller.delete, + self.req, FAKE_UUID, FAKE_UUID_A) + + rule_name = "compute_extension:v3:os-volumes-attachments:delete" + rules = {"compute_extension:v3:os-volumes": "@", + rule_name: "project:non_fake"} + self._common_policy_check(rules, rule_name, self.controller.delete, + self.req, FAKE_UUID, FAKE_UUID_A) |