This adds new defaults roles in remote console API policies.
- lock/unlock policies are default to system admin or project member.
- unlock server locked by other is system admin.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ic81da0ebc23d6526c5ca2d9d98159e07f3e53822
limits and used_limits extensions were megred in
- I76e02214e958a55b6de8033243b46b259949e5ac
But policy were left in separate file. limits policy
is in policies/limits which is general policy to get the
limit of project. used_limit is in polocies/used_limit
which is enforced in view builder for gettting the limit
of other project.
This commit:
- move used_limit in policies/limit file
- move the used_limit policy enforcement from view buidler to limit API controller.
- adjust the tests due to above changes.
Partial implement blueprint policy-defaults-refresh
Change-Id: Iefe41cc95cd967b368588dea5ff195bb4af3eca7
The updated minimum required libvirt (4.0.0) and QEMU (2.11)
for "Ussuri" satisfy the version requirements; this was done
in Change-Id: Ia18e9be4d (22c1916b49 — libvirt: Bump
MIN_{LIBVIRT,QEMU}_VERSION for "Ussuri", 2019-11-19).
Drop the version constant QEMU_VERSION_REQ_SHARED and now-needless
compatibility code; adjust/remove tests.
Change-Id: If878a023c69f25a9ea45b7de2ff9eb1976aaeb8c
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This change addresses an old TODO in the images module by dropping the
use of a Libvirt specific configurable from the qemu_img_info function.
We can identify RBD based volumes by checking for 'rbd:' at the start of
the path provided to the function instead of using the configurable.
Change-Id: Ife9e67d5c71f4cca825dff713f54ec955508f6e6
Since 0.9.11 virDomainBlockResize has accepted the size argument in
bytes when the VIR_DOMAIN_BLOCK_RESIZE_BYTES flag is provided.
This change switches all callers over to using bytes to simplify the
required call, avoiding the need to divide by units.Ki etc.
Change-Id: Ib8d9318596186acd86a738ceea187420698645e6
This adds new defaults roles in rescue server API policies
to system admin or project member.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I5816abd33002b2036068cc686c3d0d44d66ee976
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin or server owner
- policy check fail with context having non-admin and not server owner
As discussed in policy-defaults-refresh, to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing unrescue policies.
Also pass the actual target which is server's project_id in unrescue policy.
Partial implement blueprint policy-defaults-refresh
Change-Id: I04087be1e0023c026c06b690f20126472b0b63f0
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin or server owner
- policy check fail with context having non-admin and not server owner
As discussed in policy-defaults-refresh, to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing remote consoles policies.
Also pass the actual target which is server's project_id in policy.
Partial implement blueprint policy-defaults-refresh
Change-Id: I6d6002de59d87f99df3577f8c97d3aaba7c611e8
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for unlock override policies
which is server project_id because policy rule is system and
project scoped.
Adding tests also to show that rule can be override with project
roles.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ie3e6667df1e8f5d3e96ac291106f7e4b0273f0ef
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for migrate server policies
which is server project_id because policy rule is system and
project scoped.
Adding tests also to show that rule can be override with project
roles.
Partial implement blueprint policy-defaults-refresh
Change-Id: I3050b7c60ccfe8b737b4dbb93f00f6d6ca82bc6d
This adds new defaults roles in migrate server API policies.
This policy is default to SYSTEM_ADMIN role.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I220a1466437ea8582f3d1cee53ff031465d25447
Sundar Nadathur