summaryrefslogtreecommitdiff
path: root/nova/tests/unit/policies/test_aggregates.py
diff options
context:
space:
mode:
Diffstat (limited to 'nova/tests/unit/policies/test_aggregates.py')
-rw-r--r--nova/tests/unit/policies/test_aggregates.py157
1 files changed, 65 insertions, 92 deletions
diff --git a/nova/tests/unit/policies/test_aggregates.py b/nova/tests/unit/policies/test_aggregates.py
index ce3c00f30b..6ac7b6e010 100644
--- a/nova/tests/unit/policies/test_aggregates.py
+++ b/nova/tests/unit/policies/test_aggregates.py
@@ -10,7 +10,8 @@
# License for the specific language governing permissions and limitations
# under the License.
-import mock
+from unittest import mock
+
from oslo_utils.fixture import uuidsentinel as uuids
from nova.api.openstack.compute import aggregates
@@ -31,39 +32,19 @@ class AggregatesPolicyTest(base.BasePolicyTest):
super(AggregatesPolicyTest, self).setUp()
self.controller = aggregates.AggregateController()
self.req = fakes.HTTPRequest.blank('')
- # Check that admin is able to perform Aggregate Operations
- self.admin_authorized_contexts = [
+ # With legacy rule and scope check disabled by default, system admin,
+ # legacy admin, and project admin will be able to perform Aggregate
+ # Operations.
+ self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
- # Check that non-admin is not able to perform Aggregate Operations
- self.admin_unauthorized_contexts = [
- self.system_member_context, self.system_reader_context,
- self.system_foo_context, self.project_member_context,
- self.other_project_member_context,
- self.other_project_reader_context,
- self.project_foo_context, self.project_reader_context
- ]
-
- # Check that system reader is able to get Aggregate
- self.system_reader_authorized_contexts = [
- self.legacy_admin_context, self.system_admin_context,
- self.project_admin_context, self.system_member_context,
- self.system_reader_context]
- # Check that non-admin is not able to get Aggregate
- self.system_reader_unauthorized_contexts = [
- self.system_foo_context, self.project_member_context,
- self.other_project_member_context,
- self.other_project_reader_context,
- self.project_foo_context, self.project_reader_context
- ]
@mock.patch('nova.compute.api.AggregateAPI.get_aggregate_list')
def test_list_aggregate_policy(self, mock_list):
rule_name = "os_compute_api:os-aggregates:index"
- self.common_policy_check(self.system_reader_authorized_contexts,
- self.system_reader_unauthorized_contexts,
- rule_name, self.controller.index,
- self.req)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.index,
+ self.req)
@mock.patch('nova.compute.api.AggregateAPI.create_aggregate')
def test_create_aggregate_policy(self, mock_create):
@@ -74,66 +55,59 @@ class AggregatesPolicyTest(base.BasePolicyTest):
"hosts": ["host1", "host2"]})
body = {"aggregate": {"name": "test",
"availability_zone": "nova1"}}
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name,
- self.controller.create,
- self.req, body=body)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name,
+ self.controller.create,
+ self.req, body=body)
@mock.patch('nova.compute.api.AggregateAPI.update_aggregate')
def test_update_aggregate_policy(self, mock_update):
rule_name = "os_compute_api:os-aggregates:update"
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name, self.controller.update,
- self.req, 1,
- body={"aggregate": {"name": "new_name"}})
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.update,
+ self.req, 1,
+ body={"aggregate": {"name": "new_name"}})
@mock.patch('nova.compute.api.AggregateAPI.delete_aggregate')
def test_delete_aggregate_policy(self, mock_delete):
rule_name = "os_compute_api:os-aggregates:delete"
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name,
- self.controller.delete,
- self.req, 1)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name,
+ self.controller.delete,
+ self.req, 1)
@mock.patch('nova.compute.api.AggregateAPI.get_aggregate')
def test_show_aggregate_policy(self, mock_show):
rule_name = "os_compute_api:os-aggregates:show"
- self.common_policy_check(self.system_reader_authorized_contexts,
- self.system_reader_unauthorized_contexts,
- rule_name, self.controller.show,
- self.req, 1)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.show,
+ self.req, 1)
@mock.patch('nova.compute.api.AggregateAPI.update_aggregate_metadata')
def test_set_metadata_aggregate_policy(self, mock_metadata):
rule_name = "os_compute_api:os-aggregates:set_metadata"
body = {"set_metadata": {"metadata": {"foo": "bar"}}}
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name,
- self.controller._set_metadata,
- self.req, 1, body=body)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name,
+ self.controller._set_metadata,
+ self.req, 1, body=body)
@mock.patch('nova.compute.api.AggregateAPI.add_host_to_aggregate')
def test_add_host_aggregate_policy(self, mock_add):
rule_name = "os_compute_api:os-aggregates:add_host"
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name, self.controller._add_host,
- self.req, 1,
- body={"add_host": {"host": "host1"}})
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller._add_host,
+ self.req, 1,
+ body={"add_host": {"host": "host1"}})
@mock.patch('nova.compute.api.AggregateAPI.remove_host_from_aggregate')
def test_remove_host_aggregate_policy(self, mock_remove):
rule_name = "os_compute_api:os-aggregates:remove_host"
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name,
- self.controller._remove_host,
- self.req, 1,
- body={"remove_host": {"host": "host1"}})
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name,
+ self.controller._remove_host,
+ self.req, 1,
+ body={"remove_host": {"host": "host1"}})
@mock.patch('nova.compute.api.AggregateAPI.get_aggregate')
def test_images_aggregate_policy(self, mock_get):
@@ -144,10 +118,21 @@ class AggregatesPolicyTest(base.BasePolicyTest):
body = {'cache': [{'id': uuids.fake_id}]}
req = fakes.HTTPRequest.blank('', version='2.81')
with mock.patch('nova.conductor.api.ComputeTaskAPI.cache_images'):
- self.common_policy_check(self.admin_authorized_contexts,
- self.admin_unauthorized_contexts,
- rule_name, self.controller.images,
- req, 1, body=body)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.images,
+ req, 1, body=body)
+
+
+class AggregatesNoLegacyNoScopePolicyTest(AggregatesPolicyTest):
+ """Test Aggregates APIs policies with no legacy deprecated rules
+ and no scope checks which means new defaults only. In this case
+ system admin, legacy admin, and project admin will be able to
+ perform Aggregate Operations. Legacy admin will be allowed as policy
+ is just admin if no scope checks.
+
+ """
+
+ without_deprecated_rules = True
class AggregatesScopeTypePolicyTest(AggregatesPolicyTest):
@@ -164,28 +149,16 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest):
super(AggregatesScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
- # Check that system admin is able to perform Aggregate Operations.
- self.admin_authorized_contexts = [
- self.system_admin_context]
- # Check that non-system or non-admin is not able to perform
- # Aggregate Operations.
- self.admin_unauthorized_contexts = [
- self.legacy_admin_context, self.system_member_context,
- self.system_reader_context, self.system_foo_context,
- self.project_admin_context, self.project_member_context,
- self.other_project_member_context,
- self.other_project_reader_context,
- self.project_foo_context, self.project_reader_context
- ]
- # Check that system reader is able to get Aggregate
- self.system_reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context]
- # Check that non-admin is not able to get Aggregate
- self.system_reader_unauthorized_contexts = [
- self.legacy_admin_context, self.project_admin_context,
- self.system_foo_context, self.project_member_context,
- self.other_project_member_context,
- self.other_project_reader_context,
- self.project_foo_context, self.project_reader_context
- ]
+ # With scope checks enabled, only project-scoped admins are
+ # able to perform Aggregate Operations.
+ self.project_admin_authorized_contexts = [self.legacy_admin_context,
+ self.project_admin_context]
+
+
+class AggregatesScopeTypeNoLegacyPolicyTest(AggregatesScopeTypePolicyTest):
+ """Test Aggregates APIs policies with no legacy deprecated rules
+ and scope checks enabled which means scope + new defaults so
+ only system admin is able to perform aggregates Operations.
+ """
+
+ without_deprecated_rules = True
View Lorry Controller Status