From ac68939cc5a83f5e5ce7757d0a03651909aa32a4 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Thu, 9 Jan 2020 01:43:02 +0000 Subject: [PATCH] Introduce scope_types in os-aggregates policy oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for os-aggregates API policies as 'system'. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: Id920574fd7fa59f2a10e33dc458485bb4848347c --- nova/policies/aggregates.py | 99 +++++++++++---------- nova/tests/unit/policies/test_aggregates.py | 13 +++ 2 files changed, 67 insertions(+), 45 deletions(-) diff --git a/nova/policies/aggregates.py b/nova/policies/aggregates.py index 8065b00d8d..5b6f7a51ea 100644 --- a/nova/policies/aggregates.py +++ b/nova/policies/aggregates.py @@ -24,95 +24,104 @@ NEW_POLICY_ROOT = 'compute:aggregates:%s' aggregates_policies = [ policy.DocumentedRuleDefault( - POLICY_ROOT % 'set_metadata', - base.RULE_ADMIN_API, - "Create or replace metadata for an aggregate", - [ + name=POLICY_ROOT % 'set_metadata', + check_str=base.RULE_ADMIN_API, + description="Create or replace metadata for an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}/action (set_metadata)', 'method': 'POST' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'add_host', - base.RULE_ADMIN_API, - "Add a host to an aggregate", - [ + name=POLICY_ROOT % 'add_host', + check_str=base.RULE_ADMIN_API, + description="Add a host to an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}/action (add_host)', 'method': 'POST' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'create', - base.RULE_ADMIN_API, - "Create an aggregate", - [ + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_API, + description="Create an aggregate", + operations=[ { 'path': '/os-aggregates', 'method': 'POST' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'remove_host', - base.RULE_ADMIN_API, - "Remove a host from an aggregate", - [ + name=POLICY_ROOT % 'remove_host', + check_str=base.RULE_ADMIN_API, + description="Remove a host from an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}/action (remove_host)', 'method': 'POST' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'update', - base.RULE_ADMIN_API, - "Update name and/or availability zone for an aggregate", - [ + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_API, + description="Update name and/or availability zone for an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}', 'method': 'PUT' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'index', - base.RULE_ADMIN_API, - "List all aggregates", - [ + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_API, + description="List all aggregates", + operations=[ { 'path': '/os-aggregates', 'method': 'GET' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'delete', - base.RULE_ADMIN_API, - "Delete an aggregate", - [ + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_API, + description="Delete an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}', 'method': 'DELETE' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'show', - base.RULE_ADMIN_API, - "Show details for an aggregate", - [ + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_API, + description="Show details for an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}', 'method': 'GET' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - NEW_POLICY_ROOT % 'images', - base.RULE_ADMIN_API, - "Request image caching for an aggregate", - [ + name=NEW_POLICY_ROOT % 'images', + check_str=base.RULE_ADMIN_API, + description="Request image caching for an aggregate", + operations=[ { 'path': '/os-aggregates/{aggregate_id}/images', 'method': 'POST' } - ]), + ], + scope_types=['system']), ] diff --git a/nova/tests/unit/policies/test_aggregates.py b/nova/tests/unit/policies/test_aggregates.py index b750bdc9e0..2bcfa516c9 100644 --- a/nova/tests/unit/policies/test_aggregates.py +++ b/nova/tests/unit/policies/test_aggregates.py @@ -149,3 +149,16 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest): def setUp(self): super(AggregatesScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to perform Aggregate Operations. + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that non-system or non-admin is not able to perform + # Aggregate Operations. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.system_member_context, + self.system_reader_context, self.system_foo_context, + self.project_admin_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ]