Introduce scope_types in os-volumes-attachments policy
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for os-volumes-attachments API policy. Change-Id: Ibe7aaef25c7eccf2ce017fc606aae9a1448d8bcb
This commit is contained in:
zhangbailin
@@ -23,57 +23,62 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s'
|
||||
|
||||
volumes_attachments_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'index',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"List volume attachments for an instance",
|
||||
[
|
||||
name=POLICY_ROOT % 'index',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="List volume attachments for an instance",
|
||||
operations=[
|
||||
{'method': 'GET',
|
||||
'path': '/servers/{server_id}/os-volume_attachments'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'create',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"Attach a volume to an instance",
|
||||
[
|
||||
name=POLICY_ROOT % 'create',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Attach a volume to an instance",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/servers/{server_id}/os-volume_attachments'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'show',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"Show details of a volume attachment",
|
||||
[
|
||||
name=POLICY_ROOT % 'show',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Show details of a volume attachment",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path':
|
||||
'/servers/{server_id}/os-volume_attachments/{volume_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system', 'project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'update',
|
||||
base.RULE_ADMIN_API,
|
||||
"Update a volume attachment",
|
||||
[
|
||||
name=POLICY_ROOT % 'update',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Update a volume attachment",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path':
|
||||
'/servers/{server_id}/os-volume_attachments/{volume_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
POLICY_ROOT % 'delete',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
"Detach a volume from an instance",
|
||||
[
|
||||
name=POLICY_ROOT % 'delete',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Detach a volume from an instance",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path':
|
||||
'/servers/{server_id}/os-volume_attachments/{volume_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system', 'project']),
|
||||
]
|
||||
|
||||
|
||||
|
||||
@@ -177,3 +177,16 @@ class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
|
||||
def setUp(self):
|
||||
super(VolumeAttachScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
# Check that system admin is able to update the attached volume
|
||||
self.admin_authorized_contexts = [
|
||||
self.system_admin_context]
|
||||
# Check that non-system or non-admin is not able to update
|
||||
# the attached volume.
|
||||
self.admin_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.other_project_member_context,
|
||||
self.project_foo_context, self.project_reader_context
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user