diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-08-17 17:06:01 -0500 |
---|---|---|
committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-08-22 09:35:29 -0500 |
commit | 521ea08467a61e4d131b79812844d855cc2cc098 (patch) | |
tree | 3408086c8c2fe63571f80f00dddb3ceb2b5fd424 /nova/policies | |
parent | 583672c03cc91a8e4f5178cb060c2f61d900cfd9 (diff) | |
download | nova-521ea08467a61e4d131b79812844d855cc2cc098.tar.gz |
Few todo fixes for API new policies
1. Add testing context 'self.other_project_reader_context'
for remaining tests.
2. Replace REQUESTED_DESTINATION policy check_str with 'PROJECT_ADMIN'
so that it will easy to remove the deprecated RULE_ADMIN_API rule.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ibf88029af32376788134427be99d219784f8e333
Diffstat (limited to 'nova/policies')
-rw-r--r-- | nova/policies/servers.py | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nova/policies/servers.py b/nova/policies/servers.py index 811030bdb7..eda3019fe5 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -16,7 +16,6 @@ from oslo_policy import policy from nova.policies import base -RULE_AOO = base.RULE_ADMIN_OR_OWNER SERVERS = 'os_compute_api:servers:%s' NETWORK_ATTACH_EXTERNAL = 'network:attach_external_network' ZERO_DISK_FLAVOR = SERVERS % 'create:zero_disk_flavor' @@ -204,7 +203,18 @@ host and/or node by bypassing the scheduler filters unlike the scope_types=['system', 'project']), policy.DocumentedRuleDefault( name=REQUESTED_DESTINATION, - check_str=base.RULE_ADMIN_API, + # TODO(gmann): We need to make it SYSTEM_ADMIN. + # PROJECT_ADMIN is added for now because create server + # policy is project scoped and there is no way to + # pass the project_id in request body for system scoped + # roles so that create server for other project with requested + # destination. + # To achieve that, we need to update the create server API to + # accept the project_id for whom the server needs to be created + # and then change the scope of this policy to system-only + # Because that is API change it needs to be done with new + # microversion. + check_str=base.PROJECT_ADMIN, description=""" Create a server on the requested compute service host and/or hypervisor_hostname. |