1 files changed, 40 insertions, 63 deletions

diff --git a/nova/tests/unit/policies/test_server_topology.py b/nova/tests/unit/policies/test_server_topology.py
index 51a3206a97..e2f81dfaad 100644
--- a/nova/tests/unit/policies/test_server_topology.py
+++ b/nova/tests/unit/policies/test_server_topology.py
@@ -51,40 +51,23 @@ class ServerTopologyPolicyTest(base.BasePolicyTest):
 
         # Check that system reader or and server owner is able to get
         # the server topology.
-        self.system_reader_or_owner_authorized_contexts = [
+        # With legacy rule and no scope checks, all admin is able to get
+        # server topology wth host info.
+        self.project_admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context, self.project_member_context,
-            self.project_reader_context, self.project_foo_context,
-            self.system_member_context, self.system_reader_context]
-        # Check that non-stem reader/owner is not able to get
-        # the server topology.
-        self.system_reader_or_owner_unauthorized_contexts = [
-            self.system_foo_context, self.other_project_member_context,
-            self.other_project_reader_context,
-        ]
-        # Check that system reader is able to get the server topology
-        # host information.
-        self.system_reader_authorized_contexts = [
+            self.project_admin_context]
+        # and project reader can get their server topology without host info.
+        self.project_reader_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-system reader is not able to get the server topology
-        # host information.
-        self.system_reader_unauthorized_contexts = [
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.project_foo_context, self.project_reader_context,
-            self.other_project_reader_context
-        ]
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context]
 
     def test_index_server_topology_policy(self):
         rule_name = policies.BASE_POLICY_NAME % 'index'
-        self.common_policy_check(
-            self.system_reader_or_owner_authorized_contexts,
-            self.system_reader_or_owner_unauthorized_contexts,
-            rule_name,
-            self.controller.index,
-            self.req, self.instance.uuid)
+        self.common_policy_auth(self.project_reader_authorized_contexts,
+                                rule_name,
+                                self.controller.index,
+                                self.req, self.instance.uuid)
 
     def test_index_host_server_topology_policy(self):
         rule_name = policies.BASE_POLICY_NAME % 'host:index'
@@ -93,9 +76,8 @@ class ServerTopologyPolicyTest(base.BasePolicyTest):
         # fail first for unauthorized contexts.
         rule = policies.BASE_POLICY_NAME % 'index'
         self.policy.set_rules({rule: "@"}, overwrite=False)
-        authorize_res, unauthorize_res = self.common_policy_check(
-            self.system_reader_authorized_contexts,
-            self.system_reader_unauthorized_contexts,
+        authorize_res, unauthorize_res = self.common_policy_auth(
+            self.project_admin_authorized_contexts,
             rule_name, self.controller.index, self.req, self.instance.uuid,
             fatal=False)
         for resp in authorize_res:
@@ -106,6 +88,20 @@ class ServerTopologyPolicyTest(base.BasePolicyTest):
             self.assertNotIn('cpu_pinning', resp['nodes'][0])
 
 
+class ServerTopologyNoLegacyNoScopePolicyTest(ServerTopologyPolicyTest):
+    """Test Server Topology APIs policies with no legacy deprecated rules
+    and no scope checks.
+
+    """
+
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ServerTopologyNoLegacyNoScopePolicyTest, self).setUp()
+        self.project_reader_authorized_contexts = (
+            self.project_reader_or_admin_with_no_scope_no_legacy)
+
+
 class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
     """Test Server Topology APIs policies with system scope enabled.
     This class set the nova.conf [oslo_policy] enforce_scope to True
@@ -119,24 +115,15 @@ class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
     def setUp(self):
         super(ServerTopologyScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
-
-        # Check that system reader is able to get the server topology
-        # host information.
-        self.system_reader_authorized_contexts = [
-            self.system_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-system/reader is not able to get the server topology
-        # host information.
-        self.system_reader_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_foo_context,
-            self.project_admin_context, self.project_member_context,
-            self.other_project_member_context,
-            self.project_foo_context, self.project_reader_context,
-            self.other_project_reader_context,
-        ]
+        # With Scope enable, system users no longer allowed.
+        self.project_admin_authorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context]
+        self.project_reader_authorized_contexts = (
+            self.project_m_r_or_admin_with_scope_and_legacy)
 
 
-class ServerTopologyNoLegacyPolicyTest(ServerTopologyScopeTypePolicyTest):
+class ServerTopologyScopeTypeNoLegacyPolicyTest(
+        ServerTopologyScopeTypePolicyTest):
     """Test Server Topology APIs policies with system scope enabled,
     and no more deprecated rules that allow the legacy admin API to
     access system APIs.
@@ -144,18 +131,8 @@ class ServerTopologyNoLegacyPolicyTest(ServerTopologyScopeTypePolicyTest):
     without_deprecated_rules = True
 
     def setUp(self):
-        super(ServerTopologyNoLegacyPolicyTest, self).setUp()
-        # Check that system reader/owner is able to get
-        # the server topology.
-        self.system_reader_or_owner_authorized_contexts = [
-            self.system_admin_context,
-            self.project_admin_context, self.project_member_context,
-            self.system_member_context, self.system_reader_context,
-            self.project_reader_context]
-        # Check that non-system/reader/owner is not able to get
-        # the server topology.
-        self.system_reader_or_owner_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_foo_context,
-            self.other_project_member_context, self.project_foo_context,
-            self.other_project_reader_context,
-        ]
+        super(ServerTopologyScopeTypeNoLegacyPolicyTest, self).setUp()
+        # With no legacy and scope enable, only project admin, member,
+        # and reader will be able to get server topology.
+        self.project_reader_authorized_contexts = (
+            self.project_reader_or_admin_with_scope_no_legacy)