summaryrefslogtreecommitdiff
path: root/nova/tests/unit/policies/test_baremetal_nodes.py
diff options
context:
space:
mode:
Diffstat (limited to 'nova/tests/unit/policies/test_baremetal_nodes.py')
-rw-r--r--nova/tests/unit/policies/test_baremetal_nodes.py79
1 files changed, 38 insertions, 41 deletions
diff --git a/nova/tests/unit/policies/test_baremetal_nodes.py b/nova/tests/unit/policies/test_baremetal_nodes.py
index 77e6def26d..68f02087c4 100644
--- a/nova/tests/unit/policies/test_baremetal_nodes.py
+++ b/nova/tests/unit/policies/test_baremetal_nodes.py
@@ -10,7 +10,8 @@
# License for the specific language governing permissions and limitations
# under the License.
-import mock
+from unittest import mock
+
from oslo_utils.fixture import uuidsentinel as uuids
from nova.api.openstack.compute import baremetal_nodes
@@ -40,25 +41,17 @@ class BaremetalNodesPolicyTest(base.BasePolicyTest):
self.stub_out('nova.api.openstack.compute.'
'baremetal_nodes._get_ironic_client',
lambda *_: FAKE_IRONIC_CLIENT)
- # Check that system reader is able to get baremetal nodes.
- self.system_reader_authorized_contexts = [
+ # With legacy rule and scope check disabled by default, system admin,
+ # legacy admin, and project admin will be able to get baremetal nodes.
+ self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
- self.project_admin_context, self.system_member_context,
- self.system_reader_context]
- # Check that non-system-reader is not able to get baremetal nodes.
- self.system_reader_unauthorized_contexts = [
- self.system_foo_context, self.project_member_context,
- self.other_project_member_context,
- self.project_foo_context, self.project_reader_context,
- self.other_project_reader_context
- ]
+ self.project_admin_context]
def test_index_nodes_policy(self):
rule_name = "os_compute_api:os-baremetal-nodes:list"
- self.common_policy_check(self.system_reader_authorized_contexts,
- self.system_reader_unauthorized_contexts,
- rule_name, self.controller.index,
- self.req)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.index,
+ self.req)
@mock.patch.object(FAKE_IRONIC_CLIENT.node, 'list_ports')
@mock.patch.object(FAKE_IRONIC_CLIENT.node, 'get')
@@ -69,11 +62,22 @@ class BaremetalNodesPolicyTest(base.BasePolicyTest):
mock_get.return_value = node
mock_port.return_value = []
- self.common_policy_check(self.system_reader_authorized_contexts,
- self.system_reader_unauthorized_contexts,
- rule_name,
- self.controller.show,
- self.req, uuids.fake_id)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name,
+ self.controller.show,
+ self.req, uuids.fake_id)
+
+
+class BaremetalNodesNoLegacyNoScopePolicyTest(BaremetalNodesPolicyTest):
+ """Test Baremetal Nodes APIs policies with no legacy deprecated rules
+ and no scope checks which means new defaults only. In that case
+ system admin, legacy admin, and project admin will be able to get
+ Baremetal nodes Legacy admin will be allowed as policy is just admin if
+ no scope checks.
+
+ """
+
+ without_deprecated_rules = True
class BaremetalNodesScopeTypePolicyTest(BaremetalNodesPolicyTest):
@@ -91,28 +95,21 @@ class BaremetalNodesScopeTypePolicyTest(BaremetalNodesPolicyTest):
super(BaremetalNodesScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
- # Check that system reader is able to get baremetal nodes.
- self.system_reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context]
- # Check that non-system or non-reader is not able to get
- # baremetal nodes.
- self.system_reader_unauthorized_contexts = [
- self.legacy_admin_context, self.system_foo_context,
- self.project_admin_context, self.project_member_context,
- self.other_project_member_context,
- self.project_foo_context, self.project_reader_context,
- self.other_project_reader_context
- ]
-
-
-class BaremetalNodesNoLegacyPolicyTest(BaremetalNodesScopeTypePolicyTest):
- """Test Baremetal Nodes APIs policies with system scope enabled,
- and no more deprecated rules.
+ # With scope checks enable, only project-scoped admins are
+ # able to get baremetal nodes.
+ self.project_admin_authorized_contexts = [self.legacy_admin_context,
+ self.project_admin_context]
+
+
+class BNScopeTypeNoLegacyPolicyTest(BaremetalNodesScopeTypePolicyTest):
+ """Test Baremetal Nodes APIs policies with no legacy deprecated rules
+ and scope checks enabled which means scope + new defaults so
+ only system admin is able to get baremetal nodes.
"""
+
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'list':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
policies.BASE_POLICY_NAME % 'show':
- base_policy.SYSTEM_READER}
+ base_policy.ADMIN}
View Lorry Controller Status