Introduce scope_types in Admin Actions

oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Appropriate scope_type for nova case: - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope This commit introduce scope_type for Admin Actions API policies. All the Admin Actions policy are scopped as 'system' because nova services operation should not be given access to project scopped token. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Partial implement blueprint policy-defaults-refresh Change-Id: I6d43cbe6dd32e17eda99a72699953b83b4e556bb
2019-12-04 19:29:36 +00:00
parent fcf5163ab3
commit dfaf229e00
2 changed files with 20 additions and 3 deletions
--- a/nova/policies/admin_actions.py
+++ b/nova/policies/admin_actions.py
@@ -31,7 +31,8 @@ admin_actions_policies = [
                'method': 'POST',
                'path': '/servers/{server_id}/action (os-resetState)'
            }
-        ]),
+        ],
+        scope_types=['system']),
    policy.DocumentedRuleDefault(
        POLICY_ROOT % 'inject_network_info',
        base.RULE_ADMIN_API,
@@ -41,7 +42,8 @@ admin_actions_policies = [
                'method': 'POST',
                'path': '/servers/{server_id}/action (injectNetworkInfo)'
            }
-        ]),
+        ],
+        scope_types=['system']),
    policy.DocumentedRuleDefault(
        POLICY_ROOT % 'reset_network',
        base.RULE_ADMIN_API,
@@ -51,7 +53,8 @@ admin_actions_policies = [
                'method': 'POST',
                'path': '/servers/{server_id}/action (resetNetwork)'
            }
-        ])
+        ],
+        scope_types=['system'])
 ]


--- a/nova/tests/unit/policies/test_admin_actions.py
+++ b/nova/tests/unit/policies/test_admin_actions.py
@@ -97,3 +97,17 @@ class AdminActionsScopeTypePolicyTest(AdminActionsPolicyTest):
    def setUp(self):
        super(AdminActionsScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to perform the system level actions
+        # on server.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to perform the system
+        # level actions on server.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]