Merge "Introduce scope_types in Admin Actions"

nova/policies/admin_actions.py

@@ -31,7 +31,8 @@ admin_actions_policies = [
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (os-resetState)'
             }
-        ]),
+        ],
+        scope_types=['system']),
     policy.DocumentedRuleDefault(
         POLICY_ROOT % 'inject_network_info',
         base.RULE_ADMIN_API,
@@ -41,7 +42,8 @@ admin_actions_policies = [
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (injectNetworkInfo)'
             }
-        ]),
+        ],
+        scope_types=['system']),
     policy.DocumentedRuleDefault(
         POLICY_ROOT % 'reset_network',
         base.RULE_ADMIN_API,
@@ -51,7 +53,8 @@ admin_actions_policies = [
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (resetNetwork)'
             }
-        ])
+        ],
+        scope_types=['system'])
 ]
 
 

nova/tests/unit/policies/test_admin_actions.py

@@ -97,3 +97,17 @@ class AdminActionsScopeTypePolicyTest(AdminActionsPolicyTest):
     def setUp(self):
         super(AdminActionsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to perform the system level actions
+        # on server.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to perform the system
+        # level actions on server.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]