womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new default roles in migrate server policies

Browse Source 
This adds new defaults roles in migrate server API policies.
This policy is default to SYSTEM_ADMIN role.

Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: I220a1466437ea8582f3d1cee53ff031465d25447
This commit is contained in:
Ghanshyam Mann
2020-03-31 22:38:48 -05:00
parent 6c6d7e3dc2
commit 0605980b4e
2 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nova/policies/migrate_server.py
+2 -2
View File
@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s'
migrate_server_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'migrate',
check_str=base.RULE_ADMIN_API,
check_str=base.SYSTEM_ADMIN,
description="Cold migrate a server to a host",
operations=[
{
@@ -35,7 +35,7 @@ migrate_server_policies = [
scope_types=['system', 'project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'migrate_live',
check_str=base.RULE_ADMIN_API,
check_str=base.SYSTEM_ADMIN,
description="Live migrate a server to a new host without a reboot",
operations=[
{
nova/tests/unit/policies/test_migrate_server.py
+22
View File
@@ -101,3 +101,25 @@ class MigrateServerScopeTypePolicyTest(MigrateServerPolicyTest):
def setUp(self):
super(MigrateServerScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
class MigrateServerNoLegacyPolicyTest(MigrateServerScopeTypePolicyTest):
"""Test Migrate Server APIs policies with system scope enabled,
and no more deprecated rules.
"""
without_deprecated_rules = True
def setUp(self):
super(MigrateServerNoLegacyPolicyTest, self).setUp()
# Check that system admin is able to migrate the server.
self.admin_authorized_contexts = [
self.system_admin_context
]
# Check that non system admin is not able to migrate the server
self.admin_unauthorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_member_context
]