Merge "Add new default roles in os-console-output policies"

2020-03-06 13:32:09 +00:00
parent 572d8506a6 cae41d68cf
commit e710ebe28f
2 changed files with 27 additions and 1 deletions
@@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output'
 console_output_policies = [
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description='Show console output for a server',
        operations=[
            {
@@ -82,3 +82,29 @@ class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest):
    def setUp(self):
        super(ConsoleOutputScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class ConsoleOutputNoLegacyPolicyTest(ConsoleOutputPolicyTest):
+    """Test Console Output APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system_admin_or_owner APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(ConsoleOutputNoLegacyPolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system or projct admin or owner is able to
+        # get the server console.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system and non-admin/owner is not able to
+        # get the server console.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_reader_context,
+            self.project_foo_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context]