summaryrefslogtreecommitdiff
path: root/nova/tests/unit/policies/test_hypervisors.py
diff options
context:
space:
mode:
Diffstat (limited to 'nova/tests/unit/policies/test_hypervisors.py')
-rw-r--r--nova/tests/unit/policies/test_hypervisors.py130
1 files changed, 57 insertions, 73 deletions
diff --git a/nova/tests/unit/policies/test_hypervisors.py b/nova/tests/unit/policies/test_hypervisors.py
index 2b9eefcfd9..dd17ebe2fe 100644
--- a/nova/tests/unit/policies/test_hypervisors.py
+++ b/nova/tests/unit/policies/test_hypervisors.py
@@ -10,7 +10,7 @@
# License for the specific language governing permissions and limitations
# under the License.
-import mock
+from unittest import mock
from nova.api.openstack.compute import hypervisors
from nova.policies import base as base_policy
@@ -36,76 +36,67 @@ class HypervisorsPolicyTest(base.BasePolicyTest):
self.controller.host_api.service_get_by_compute_host = mock.MagicMock()
self.controller.host_api.compute_node_get = mock.MagicMock()
- # Check that system scoped admin, member and reader are able to
- # perform operations on hypervisors.
- # NOTE(gmann): Until old default rule which is admin_api is
- # deprecated and not removed, project admin and legacy admin
- # will be able to get hypervisors. This make sure that existing
- # tokens will keep working even we have changed this policy defaults
- # to reader role.
- self.reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context, self.legacy_admin_context,
+ # With legacy rule and scope check disabled by default, system admin,
+ # legacy admin, and project admin will be able to perform hypervisors
+ # Operations.
+ self.project_admin_authorized_contexts = [
+ self.legacy_admin_context, self.system_admin_context,
self.project_admin_context]
- # Check that non-system-reader are not able to perform operations
- # on hypervisors
- self.reader_unauthorized_contexts = [
- self.system_foo_context, self.other_project_member_context,
- self.project_foo_context, self.project_member_context,
- self.project_reader_context,
- self.other_project_reader_context,
- ]
def test_list_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'list'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.index,
- self.req)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.index,
+ self.req)
def test_list_details_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'list-detail'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.detail,
- self.req)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.detail,
+ self.req)
def test_show_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'show'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.show,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.show,
+ self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.get_host_uptime')
def test_uptime_hypervisors_policy(self, mock_uptime):
rule_name = hv_policies.BASE_POLICY_NAME % 'uptime'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.uptime,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.uptime,
+ self.req, 11111)
def test_search_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'search'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.search,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.search,
+ self.req, 11111)
def test_servers_hypervisors_policy(self):
rule_name = hv_policies.BASE_POLICY_NAME % 'servers'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.servers,
- self.req, 11111)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.servers,
+ self.req, 11111)
@mock.patch('nova.compute.api.HostAPI.compute_node_statistics')
def test_statistics_hypervisors_policy(self, mock_statistics):
rule_name = hv_policies.BASE_POLICY_NAME % 'statistics'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name, self.controller.statistics,
- self.req)
+ self.common_policy_auth(self.project_admin_authorized_contexts,
+ rule_name, self.controller.statistics,
+ self.req)
+
+
+class HypervisorsNoLegacyNoScopePolicyTest(HypervisorsPolicyTest):
+ """Test Hypervisors APIs policies with no legacy deprecated rules
+ and no scope checks which means new defaults only. In this case
+ system admin, legacy admin, and project admin will be able to perform
+ Hypervisors Operations. Legacy admin will be allowed as policy is just
+ admin if no scope checks.
+ """
+
+ without_deprecated_rules = True
class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
@@ -122,40 +113,33 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
super(HypervisorsScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
- # Check that system reader is able to perform operations
- # on hypervisors.
- self.reader_authorized_contexts = [
- self.system_admin_context, self.system_member_context,
- self.system_reader_context]
- # Check that non-system-reader is not able to perform operations
- # on hypervisors.
- self.reader_unauthorized_contexts = [
- self.legacy_admin_context, self.project_admin_context,
- self.system_foo_context, self.project_member_context,
- self.other_project_member_context,
- self.other_project_reader_context,
- self.project_foo_context, self.project_reader_context
- ]
-
-
-class HypervisorsNoLegacyPolicyTest(HypervisorsScopeTypePolicyTest):
- """Test Hypervisors APIs policies with system scope enabled,
- and no more deprecated rules.
+ # With scope checks enable, only system admin is able to perform
+ # hypervisors Operations.
+ self.project_admin_authorized_contexts = [self.legacy_admin_context,
+ self.project_admin_context]
+
+
+class HypervisorsScopeTypeNoLegacyPolicyTest(HypervisorsScopeTypePolicyTest):
+ """Test Hypervisors APIs policies with no legacy deprecated rules
+ and scope checks enabled which means scope + new defaults so
+ only system admin is able to perform hypervisors Operations.
"""
+
without_deprecated_rules = True
+
rules_without_deprecation = {
hv_policies.BASE_POLICY_NAME % 'list':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'list-detail':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'show':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'statistics':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'uptime':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'search':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
hv_policies.BASE_POLICY_NAME % 'servers':
- base_policy.SYSTEM_READER,
+ base_policy.ADMIN,
}
View Lorry Controller Status