diff --git a/nova/policies/volumes_attachments.py b/nova/policies/volumes_attachments.py index 25653a028e..63e0e3adfe 100644 --- a/nova/policies/volumes_attachments.py +++ b/nova/policies/volumes_attachments.py @@ -23,57 +23,62 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s' volumes_attachments_policies = [ policy.DocumentedRuleDefault( - POLICY_ROOT % 'index', - base.RULE_ADMIN_OR_OWNER, - "List volume attachments for an instance", - [ + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_OR_OWNER, + description="List volume attachments for an instance", + operations=[ {'method': 'GET', 'path': '/servers/{server_id}/os-volume_attachments' } - ]), + ], + scope_types=['system', 'project']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'create', - base.RULE_ADMIN_OR_OWNER, - "Attach a volume to an instance", - [ + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_OR_OWNER, + description="Attach a volume to an instance", + operations=[ { 'method': 'POST', 'path': '/servers/{server_id}/os-volume_attachments' } - ]), + ], + scope_types=['system', 'project']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'show', - base.RULE_ADMIN_OR_OWNER, - "Show details of a volume attachment", - [ + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_OR_OWNER, + description="Show details of a volume attachment", + operations=[ { 'method': 'GET', 'path': '/servers/{server_id}/os-volume_attachments/{volume_id}' } - ]), + ], + scope_types=['system', 'project']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'update', - base.RULE_ADMIN_API, - "Update a volume attachment", - [ + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_API, + description="Update a volume attachment", + operations=[ { 'method': 'PUT', 'path': '/servers/{server_id}/os-volume_attachments/{volume_id}' } - ]), + ], + scope_types=['system']), policy.DocumentedRuleDefault( - POLICY_ROOT % 'delete', - base.RULE_ADMIN_OR_OWNER, - "Detach a volume from an instance", - [ + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_OR_OWNER, + description="Detach a volume from an instance", + operations=[ { 'method': 'DELETE', 'path': '/servers/{server_id}/os-volume_attachments/{volume_id}' } - ]), + ], + scope_types=['system', 'project']), ] diff --git a/nova/tests/unit/policies/test_volumes.py b/nova/tests/unit/policies/test_volumes.py index ae738a0e45..b72ae41391 100644 --- a/nova/tests/unit/policies/test_volumes.py +++ b/nova/tests/unit/policies/test_volumes.py @@ -177,3 +177,16 @@ class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest): def setUp(self): super(VolumeAttachScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system admin is able to update the attached volume + self.admin_authorized_contexts = [ + self.system_admin_context] + # Check that non-system or non-admin is not able to update + # the attached volume. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.system_member_context, + self.system_reader_context, self.system_foo_context, + self.project_admin_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ]