Merge "Use default policies in our tests"
This commit is contained in:
commit
e788d68ef4
@ -1,164 +1,4 @@
|
||||
# Defines the default rule used for policies that historically had an
|
||||
# empty policy in the supplied policy.yaml file.
|
||||
#"default": ""
|
||||
|
||||
# Defines the rule for the is_admin:True check.
|
||||
#"context_is_admin": "role:admin"
|
||||
|
||||
# Default for admin-only metadef rules
|
||||
"metadef_admin": "role:admin"
|
||||
|
||||
# add_image
|
||||
"add_image": ""
|
||||
|
||||
# delete_image
|
||||
"delete_image": ""
|
||||
|
||||
# get_image
|
||||
"get_image": ""
|
||||
|
||||
# get_images
|
||||
"get_images": ""
|
||||
|
||||
# modify_image
|
||||
"modify_image": ""
|
||||
|
||||
# publicize_image
|
||||
"publicize_image": ""
|
||||
|
||||
# communitize_image
|
||||
"communitize_image": ""
|
||||
|
||||
# download_image
|
||||
"download_image": ""
|
||||
|
||||
# upload_image
|
||||
"upload_image": ""
|
||||
|
||||
# delete_image_location
|
||||
"delete_image_location": ""
|
||||
|
||||
# get_image_location
|
||||
"get_image_location": ""
|
||||
|
||||
# set_image_location
|
||||
"set_image_location": ""
|
||||
|
||||
# add_member
|
||||
"add_member": ""
|
||||
|
||||
# delete_member
|
||||
"delete_member": ""
|
||||
|
||||
# get_member
|
||||
"get_member": ""
|
||||
|
||||
# get_members
|
||||
"get_members": ""
|
||||
|
||||
# modify_member
|
||||
"modify_member": ""
|
||||
|
||||
# manage_image_cache
|
||||
"manage_image_cache": ""
|
||||
|
||||
# deactivate
|
||||
"deactivate": ""
|
||||
|
||||
# reactivate
|
||||
"reactivate": ""
|
||||
|
||||
# get_task
|
||||
"get_task": "role:admin"
|
||||
|
||||
# get_tasks
|
||||
"get_tasks": "role:admin"
|
||||
|
||||
# add_task
|
||||
"add_task": "role:admin"
|
||||
|
||||
# modify_task
|
||||
"modify_task": "role:admin"
|
||||
|
||||
# get_metadef_namespace
|
||||
"get_metadef_namespace": ""
|
||||
|
||||
# get_metadef_namespaces
|
||||
"get_metadef_namespaces": ""
|
||||
|
||||
# modify_metadef_namespace
|
||||
"modify_metadef_namespace": "rule:metadef_admin"
|
||||
|
||||
# add_metadef_namespace
|
||||
"add_metadef_namespace": "rule:metadef_admin"
|
||||
|
||||
# delete_metadef_namespace
|
||||
"delete_metadef_namespace": "rule:metadef_admin"
|
||||
|
||||
# get_metadef_object
|
||||
"get_metadef_object": ""
|
||||
|
||||
# get_metadef_objects
|
||||
"get_metadef_objects": ""
|
||||
|
||||
# modify_metadef_object
|
||||
"modify_metadef_object": "rule:metadef_admin"
|
||||
|
||||
# add_metadef_object
|
||||
"add_metadef_object": "rule:metadef_admin"
|
||||
|
||||
# delete_metadef_object
|
||||
"delete_metadef_object": "rule:metadef_admin"
|
||||
|
||||
# list_metadef_resource_types
|
||||
"list_metadef_resource_types": ""
|
||||
|
||||
# get_metadef_resource_type
|
||||
"get_metadef_resource_type": ""
|
||||
|
||||
# add_metadef_resource_type_association
|
||||
"add_metadef_resource_type_association": "rule:metadef_admin"
|
||||
|
||||
# remove_metadef_resource_type_association
|
||||
"remove_metadef_resource_type_association": "rule:metadef_admin"
|
||||
|
||||
# get_metadef_property
|
||||
"get_metadef_property": ""
|
||||
|
||||
# get_metadef_properties
|
||||
"get_metadef_properties": ""
|
||||
|
||||
# modify_metadef_property
|
||||
"modify_metadef_property": "rule:metadef_admin"
|
||||
|
||||
# add_metadef_property
|
||||
"add_metadef_property": "rule:metadef_admin"
|
||||
|
||||
# remove_metadef_property
|
||||
"remove_metadef_property": "rule:metadef_admin"
|
||||
|
||||
# get_metadef_tag
|
||||
"get_metadef_tag": ""
|
||||
|
||||
# get_metadef_tags
|
||||
"get_metadef_tags": ""
|
||||
|
||||
# modify_metadef_tag
|
||||
"modify_metadef_tag": "rule:metadef_admin"
|
||||
|
||||
# add_metadef_tag
|
||||
"add_metadef_tag": "rule:metadef_admin"
|
||||
|
||||
# add_metadef_tags
|
||||
"add_metadef_tags": "rule:metadef_admin"
|
||||
|
||||
# delete_metadef_tag
|
||||
"delete_metadef_tag": "rule:metadef_admin"
|
||||
|
||||
# delete_metadef_tags
|
||||
"delete_metadef_tags": "rule:metadef_admin"
|
||||
|
||||
# WARNING: Below rules are either deprecated rules
|
||||
# or extra rules in policy file, it is strongly
|
||||
# recommended to switch to new rules.
|
||||
# FIXME (abhishekk): This special rule is required in unit tests
|
||||
# to test property protection using policies. Need to make provision
|
||||
# to set such rules on the fly.
|
||||
"glance_creator": "role:admin or role:spl_role"
|
||||
|
@ -804,7 +804,6 @@ class FunctionalTest(test_utils.BaseTestCase):
|
||||
conf_dir = os.path.join(self.test_dir, 'etc')
|
||||
utils.safe_mkdirs(conf_dir)
|
||||
self.copy_data_file('schema-image.json', conf_dir)
|
||||
self.copy_data_file('policy.yaml', conf_dir)
|
||||
self.copy_data_file('property-protections.conf', conf_dir)
|
||||
self.copy_data_file('property-protections-policies.conf', conf_dir)
|
||||
self.property_file_roles = os.path.join(conf_dir,
|
||||
@ -1153,7 +1152,6 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
|
||||
conf_dir = os.path.join(self.test_dir, 'etc')
|
||||
utils.safe_mkdirs(conf_dir)
|
||||
self.copy_data_file('schema-image.json', conf_dir)
|
||||
self.copy_data_file('policy.yaml', conf_dir)
|
||||
self.copy_data_file('property-protections.conf', conf_dir)
|
||||
self.copy_data_file('property-protections-policies.conf', conf_dir)
|
||||
self.property_file_roles = os.path.join(conf_dir,
|
||||
|
@ -57,7 +57,8 @@ class TestScrubber(functional.FunctionalTest):
|
||||
|
||||
def _send_create_image_http_request(self, path, body=None):
|
||||
headers = {
|
||||
"Content-Type": "application/json"
|
||||
"Content-Type": "application/json",
|
||||
"X-Roles": "admin",
|
||||
}
|
||||
body = body or {'container_format': 'ovf',
|
||||
'disk_format': 'raw',
|
||||
|
@ -59,7 +59,8 @@ class BaseCacheMiddlewareTest(object):
|
||||
# Add an image and verify success
|
||||
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
|
||||
http = httplib2.Http()
|
||||
headers = self._headers({'content-type': 'application/json'})
|
||||
headers = self._headers({'content-type': 'application/json',
|
||||
'X-Roles': 'admin'})
|
||||
image_entity = {
|
||||
'name': 'Image1',
|
||||
'visibility': 'public',
|
||||
@ -121,7 +122,8 @@ class BaseCacheMiddlewareTest(object):
|
||||
# Add an image and verify success
|
||||
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
|
||||
http = httplib2.Http()
|
||||
headers = self._headers({'content-type': 'application/json'})
|
||||
headers = self._headers({'content-type': 'application/json',
|
||||
'X-Roles': 'admin'})
|
||||
image_entity = {
|
||||
'name': 'Image1',
|
||||
'visibility': 'public',
|
||||
@ -187,7 +189,8 @@ class BaseCacheMiddlewareTest(object):
|
||||
# Add an image and verify success
|
||||
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
|
||||
http = httplib2.Http()
|
||||
headers = self._headers({'content-type': 'application/json'})
|
||||
headers = self._headers({'content-type': 'application/json',
|
||||
'X-Roles': 'admin'})
|
||||
image_entity = {
|
||||
'name': 'Image1',
|
||||
'visibility': 'public',
|
||||
@ -269,7 +272,8 @@ class BaseCacheMiddlewareTest(object):
|
||||
# Add an image and verify success
|
||||
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
|
||||
http = httplib2.Http()
|
||||
headers = self._headers({'content-type': 'application/json'})
|
||||
headers = self._headers({'content-type': 'application/json',
|
||||
'X-Roles': 'admin'})
|
||||
image_entity = {
|
||||
'name': 'Image1',
|
||||
'visibility': 'public',
|
||||
|
@ -785,7 +785,8 @@ class TestImages(functional.FunctionalTest):
|
||||
# Change the image to public so TENANT2 can see it
|
||||
path = self._url('/v2/images/%s' % image_id)
|
||||
media_type = 'application/openstack-images-v2.0-json-patch'
|
||||
headers = self._headers({'content-type': media_type})
|
||||
headers = self._headers({'content-type': media_type,
|
||||
'X-Roles': 'admin'})
|
||||
data = jsonutils.dumps([{"replace": "/visibility", "value": "public"}])
|
||||
response = requests.patch(path, headers=headers, data=data)
|
||||
self.assertEqual(http.OK, response.status_code, response.text)
|
||||
@ -2423,6 +2424,10 @@ class TestImages(functional.FunctionalTest):
|
||||
|
||||
def test_property_protections_with_policies(self):
|
||||
# Enable property protection
|
||||
rules = {
|
||||
"glance_creator": "role:admin or role:spl_role"
|
||||
}
|
||||
self.set_policy_rules(rules)
|
||||
self.api_server.property_protection_file = self.property_file_policies
|
||||
self.api_server.property_protection_rule_format = 'policies'
|
||||
self.start_servers(**self.__dict__.copy())
|
||||
@ -3789,7 +3794,8 @@ class TestImageDirectURLVisibility(functional.FunctionalTest):
|
||||
|
||||
# Create an image
|
||||
path = self._url('/v2/images')
|
||||
headers = self._headers({'content-type': 'application/json'})
|
||||
headers = self._headers({'content-type': 'application/json',
|
||||
'X-Roles': 'admin'})
|
||||
data = jsonutils.dumps({'name': 'image-1', 'type': 'kernel',
|
||||
'foo': 'bar', 'disk_format': 'aki',
|
||||
'container_format': 'aki',
|
||||
@ -4073,9 +4079,13 @@ class TestImageMembers(functional.FunctionalTest):
|
||||
for owner in owners:
|
||||
for visibility in visibilities:
|
||||
path = self._url('/v2/images')
|
||||
role = 'member'
|
||||
if visibility == 'public':
|
||||
role = 'admin'
|
||||
headers = self._headers({
|
||||
'content-type': 'application/json',
|
||||
'X-Auth-Token': 'createuser:%s:admin' % owner,
|
||||
'X-Roles': role,
|
||||
})
|
||||
data = jsonutils.dumps({
|
||||
'name': '%s-%s' % (owner, visibility),
|
||||
@ -6385,9 +6395,14 @@ class TestMultiStoreImageMembers(functional.MultipleBackendFunctionalTest):
|
||||
for owner in owners:
|
||||
for visibility in visibilities:
|
||||
path = self._url('/v2/images')
|
||||
role = 'member'
|
||||
if visibility == 'public':
|
||||
role = 'admin'
|
||||
|
||||
headers = self._headers(custom_headers={
|
||||
'content-type': 'application/json',
|
||||
'X-Auth-Token': 'createuser:%s:admin' % owner,
|
||||
'X-Roles': role,
|
||||
})
|
||||
data = jsonutils.dumps({
|
||||
'name': '%s-%s' % (owner, visibility),
|
||||
|
Loading…
Reference in New Issue
Block a user