diff --git a/nova/policies/console_auth_tokens.py b/nova/policies/console_auth_tokens.py index 115ea9e7d3..9df96f8aa8 100644 --- a/nova/policies/console_auth_tokens.py +++ b/nova/policies/console_auth_tokens.py @@ -23,16 +23,17 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens' console_auth_tokens_policies = [ policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_API, - "Show console connection information for a given console " + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API, + description="Show console connection information for a given console " "authentication token", - [ + operations=[ { 'method': 'GET', 'path': '/os-console-auth-tokens/{console_token}' } - ]) + ], + scope_types=['system']) ] diff --git a/nova/tests/unit/policies/test_console_auth_tokens.py b/nova/tests/unit/policies/test_console_auth_tokens.py index 9ddf6a0dec..403a647ec2 100644 --- a/nova/tests/unit/policies/test_console_auth_tokens.py +++ b/nova/tests/unit/policies/test_console_auth_tokens.py @@ -67,3 +67,17 @@ class ConsoleAuthTokensScopeTypePolicyTest(ConsoleAuthTokensPolicyTest): def setUp(self): super(ConsoleAuthTokensScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to get console connection + # information. + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that non-system-admin is not able to get console connection + # information. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.system_member_context, + self.system_reader_context, self.system_foo_context, + self.project_admin_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ]