diff --git a/nova/policies/migrate_server.py b/nova/policies/migrate_server.py index bc8199f7f5..fe1c5b55e0 100644 --- a/nova/policies/migrate_server.py +++ b/nova/policies/migrate_server.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s' migrate_server_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'migrate', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, description="Cold migrate a server to a host", operations=[ { @@ -35,7 +35,7 @@ migrate_server_policies = [ scope_types=['system', 'project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'migrate_live', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, description="Live migrate a server to a new host without a reboot", operations=[ { diff --git a/nova/tests/unit/policies/test_migrate_server.py b/nova/tests/unit/policies/test_migrate_server.py index 8abd645b56..be1aaa9972 100644 --- a/nova/tests/unit/policies/test_migrate_server.py +++ b/nova/tests/unit/policies/test_migrate_server.py @@ -101,3 +101,25 @@ class MigrateServerScopeTypePolicyTest(MigrateServerPolicyTest): def setUp(self): super(MigrateServerScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + +class MigrateServerNoLegacyPolicyTest(MigrateServerScopeTypePolicyTest): + """Test Migrate Server APIs policies with system scope enabled, + and no more deprecated rules. + """ + without_deprecated_rules = True + + def setUp(self): + super(MigrateServerNoLegacyPolicyTest, self).setUp() + # Check that system admin is able to migrate the server. + self.admin_authorized_contexts = [ + self.system_admin_context + ] + # Check that non system admin is not able to migrate the server + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.project_admin_context, + self.system_member_context, self.system_reader_context, + self.system_foo_context, self.project_member_context, + self.project_reader_context, self.project_foo_context, + self.other_project_member_context + ]