diff --git a/nova/policies/create_backup.py b/nova/policies/create_backup.py index b90016ed5a..b7acc36bd5 100644 --- a/nova/policies/create_backup.py +++ b/nova/policies/create_backup.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-create-backup' create_backup_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, description='Create a back up of a server', operations=[ { diff --git a/nova/tests/unit/policies/test_create_backup.py b/nova/tests/unit/policies/test_create_backup.py index 3863ccc409..81cdcd58b6 100644 --- a/nova/tests/unit/policies/test_create_backup.py +++ b/nova/tests/unit/policies/test_create_backup.py @@ -88,3 +88,29 @@ class CreateBackupScopeTypePolicyTest(CreateBackupPolicyTest): def setUp(self): super(CreateBackupScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + +class CreateBackupNoLegacyPolicyTest(CreateBackupPolicyTest): + """Test Create Backup APIs policies with system scope enabled, + and no more deprecated rules that allow the legacy admin API to + access system_admin_or_owner APIs. + """ + without_deprecated_rules = True + + def setUp(self): + super(CreateBackupNoLegacyPolicyTest, self).setUp() + self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system or projct admin or owner is able to create + # server backup. + self.admin_authorized_contexts = [ + self.system_admin_context, + self.project_admin_context, self.project_member_context] + # Check that non-system and non-admin/owner is not able to + # create server backup. + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.project_reader_context, + self.project_foo_context, + self.system_member_context, self.system_reader_context, + self.system_foo_context, + self.other_project_member_context]