diff --git a/nova/policies/console_output.py b/nova/policies/console_output.py index 12869d3ec6..461ef83a54 100644 --- a/nova/policies/console_output.py +++ b/nova/policies/console_output.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output' console_output_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, description='Show console output for a server', operations=[ { diff --git a/nova/tests/unit/policies/test_console_output.py b/nova/tests/unit/policies/test_console_output.py index 6b5019cbcb..1426dca186 100644 --- a/nova/tests/unit/policies/test_console_output.py +++ b/nova/tests/unit/policies/test_console_output.py @@ -82,3 +82,29 @@ class ConsoleOutputScopeTypePolicyTest(ConsoleOutputPolicyTest): def setUp(self): super(ConsoleOutputScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + +class ConsoleOutputNoLegacyPolicyTest(ConsoleOutputPolicyTest): + """Test Console Output APIs policies with system scope enabled, + and no more deprecated rules that allow the legacy admin API to + access system_admin_or_owner APIs. + """ + without_deprecated_rules = True + + def setUp(self): + super(ConsoleOutputNoLegacyPolicyTest, self).setUp() + self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system or projct admin or owner is able to + # get the server console. + self.admin_authorized_contexts = [ + self.system_admin_context, + self.project_admin_context, self.project_member_context] + # Check that non-system and non-admin/owner is not able to + # get the server console. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.project_reader_context, + self.project_foo_context, + self.system_member_context, self.system_reader_context, + self.system_foo_context, + self.other_project_member_context]