diff --git a/nova/policies/agents.py b/nova/policies/agents.py index 00ba7fb2f6..cc6dc7441a 100644 --- a/nova/policies/agents.py +++ b/nova/policies/agents.py @@ -23,14 +23,14 @@ BASE_POLICY_NAME = 'os_compute_api:os-agents' agents_policies = [ policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - """Create, list, update, and delete guest agent builds + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API, + description="""Create, list, update, and delete guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot. """, - [ + operations=[ { 'path': '/os-agents', 'method': 'GET' @@ -47,7 +47,8 @@ It is used to force the upgrade of the XenAPI guest agent on instance boot. 'path': '/os-agents/{agent_build_id}', 'method': 'DELETE' } - ]), + ], + scope_types=['system']), ] diff --git a/nova/tests/unit/policies/test_agents.py b/nova/tests/unit/policies/test_agents.py index cd78877152..0905f109a4 100644 --- a/nova/tests/unit/policies/test_agents.py +++ b/nova/tests/unit/policies/test_agents.py @@ -109,3 +109,17 @@ class AgentsScopeTypePolicyTest(AgentsPolicyTest): def setUp(self): super(AgentsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to perform the CRUD operation + # on agents. + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that non-system or non-admin is not able to perform the CRUD + # operation on agents. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.system_member_context, + self.system_reader_context, self.project_admin_context, + self.system_foo_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ]