Fix tests for oslo.policy new defaults enable by default
oslo.policy has enabled the new RBAC config options enforce_scope and enforce_new_defaults by default[1][2]. octavia is ready with the new RBAC but we need to fix the test and some system scope cleanup in base rules. Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464 [1] https://review.opendev.org/c/openstack/oslo.policy/+/924283 [2] https://review.opendev.org/c/openstack/releases/+/925032 Change-Id: Ifbec670e1afa86725d2659a185f6c185abbefb16
This commit is contained in:
parent
c2c5a4ce82
commit
240347fc3e
@ -137,9 +137,8 @@ class Policy(oslo_policy.Enforcer):
|
|||||||
try:
|
try:
|
||||||
result = self.enforce('context_is_admin', credentials, credentials)
|
result = self.enforce('context_is_admin', credentials, credentials)
|
||||||
except oslo_policy.InvalidScope as e:
|
except oslo_policy.InvalidScope as e:
|
||||||
# This will happen if the token being used is not system scoped
|
# This will happen if the token being used is system scoped
|
||||||
# which is required for the admin roles when scope checking is
|
# when scope checking is enabled.
|
||||||
# enabled.
|
|
||||||
LOG.warning(str(e))
|
LOG.warning(str(e))
|
||||||
return False
|
return False
|
||||||
return result
|
return result
|
||||||
|
@ -41,20 +41,6 @@ rules = [
|
|||||||
|
|
||||||
# OpenStack wide scoped rules
|
# OpenStack wide scoped rules
|
||||||
|
|
||||||
# System scoped Administrator
|
|
||||||
policy.RuleDefault(
|
|
||||||
name='system-admin',
|
|
||||||
check_str='role:admin and '
|
|
||||||
'system_scope:all',
|
|
||||||
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
|
||||||
|
|
||||||
# System scoped Reader
|
|
||||||
policy.RuleDefault(
|
|
||||||
name='system-reader',
|
|
||||||
check_str='role:reader and '
|
|
||||||
'system_scope:all',
|
|
||||||
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
|
||||||
|
|
||||||
# Project scoped Member
|
# Project scoped Member
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name='project-member',
|
name='project-member',
|
||||||
@ -85,13 +71,10 @@ rules = [
|
|||||||
# role:load-balancer_admin
|
# role:load-balancer_admin
|
||||||
# User is considered an admin for all load-balancer APIs including
|
# User is considered an admin for all load-balancer APIs including
|
||||||
# resources owned by others.
|
# resources owned by others.
|
||||||
# role:admin and system_scope:all
|
|
||||||
# User is admin to all service APIs, including Octavia.
|
|
||||||
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name='context_is_admin',
|
name='context_is_admin',
|
||||||
check_str='role:load-balancer_admin or '
|
check_str='role:load-balancer_admin or '
|
||||||
'rule:system-admin or '
|
|
||||||
'role:admin',
|
'role:admin',
|
||||||
deprecated_rule=deprecated_context_is_admin,
|
deprecated_rule=deprecated_context_is_admin,
|
||||||
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
||||||
@ -115,8 +98,7 @@ rules = [
|
|||||||
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name='load-balancer:global_observer',
|
name='load-balancer:global_observer',
|
||||||
check_str='role:load-balancer_global_observer or '
|
check_str='role:load-balancer_global_observer',
|
||||||
'rule:system-reader',
|
|
||||||
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
||||||
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
@ -132,7 +114,6 @@ rules = [
|
|||||||
name='load-balancer:admin',
|
name='load-balancer:admin',
|
||||||
check_str='is_admin:True or '
|
check_str='is_admin:True or '
|
||||||
'role:load-balancer_admin or '
|
'role:load-balancer_admin or '
|
||||||
'rule:system-admin or '
|
|
||||||
'role:admin',
|
'role:admin',
|
||||||
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
scope_types=[constants.RBAC_SCOPE_PROJECT]),
|
||||||
|
|
||||||
|
@ -214,7 +214,7 @@ class TestAvailabilityZones(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -214,7 +214,7 @@ class TestFlavors(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -308,7 +308,7 @@ class TestFlavors(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -137,7 +137,7 @@ class TestHealthMonitor(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -293,7 +293,7 @@ class TestHealthMonitor(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1258,7 +1258,7 @@ class TestHealthMonitor(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1714,7 +1714,7 @@ class TestHealthMonitor(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2064,7 +2064,7 @@ class TestHealthMonitor(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -76,7 +76,7 @@ class TestL7Policy(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -209,7 +209,7 @@ class TestL7Policy(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -685,7 +685,7 @@ class TestL7Policy(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -919,7 +919,7 @@ class TestL7Policy(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1165,7 +1165,7 @@ class TestL7Policy(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -76,7 +76,7 @@ class TestL7Rule(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -175,7 +175,7 @@ class TestL7Rule(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -542,7 +542,7 @@ class TestL7Rule(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -921,7 +921,7 @@ class TestL7Rule(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1125,7 +1125,7 @@ class TestL7Rule(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -112,7 +112,7 @@ class TestListener(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -558,7 +558,7 @@ class TestListener(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -976,7 +976,7 @@ class TestListener(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2106,7 +2106,7 @@ class TestListener(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2267,7 +2267,7 @@ class TestListener(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2926,7 +2926,7 @@ class TestListener(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -995,7 +995,7 @@ class TestLoadBalancer(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1306,7 +1306,7 @@ class TestLoadBalancer(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1892,7 +1892,7 @@ class TestLoadBalancer(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2092,7 +2092,7 @@ class TestLoadBalancer(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2276,7 +2276,7 @@ class TestLoadBalancer(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -4008,7 +4008,7 @@ class TestLoadBalancerGraph(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -4111,7 +4111,7 @@ class TestLoadBalancerGraph(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -89,7 +89,7 @@ class TestMember(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -194,7 +194,7 @@ class TestMember(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -529,7 +529,7 @@ class TestMember(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1178,7 +1178,7 @@ class TestMember(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1360,7 +1360,7 @@ class TestMember(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -105,7 +105,7 @@ class TestPool(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -247,7 +247,7 @@ class TestPool(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -742,7 +742,7 @@ class TestPool(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -1274,7 +1274,7 @@ class TestPool(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -2102,7 +2102,7 @@ class TestPool(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -394,7 +394,7 @@ class TestQuotas(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -440,7 +440,7 @@ class TestQuotas(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_observer'],
|
'roles': ['load-balancer_observer', 'reader'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -480,18 +480,18 @@ class TestQuotas(base.BaseAPITest):
|
|||||||
self._assert_quotas_equal(quotas, quota2)
|
self._assert_quotas_equal(quotas, quota2)
|
||||||
|
|
||||||
def test_get_Authorized_member(self):
|
def test_get_Authorized_member(self):
|
||||||
self._test_get_Authorized('load-balancer_member')
|
self._test_get_Authorized(['load-balancer_member', 'member'])
|
||||||
|
|
||||||
def test_get_Authorized_observer(self):
|
def test_get_Authorized_observer(self):
|
||||||
self._test_get_Authorized('load-balancer_observer')
|
self._test_get_Authorized(['load-balancer_observer', 'reader'])
|
||||||
|
|
||||||
def test_get_Authorized_global_observer(self):
|
def test_get_Authorized_global_observer(self):
|
||||||
self._test_get_Authorized('load-balancer_global_observer')
|
self._test_get_Authorized(['load-balancer_global_observer'])
|
||||||
|
|
||||||
def test_get_Authorized_quota_admin(self):
|
def test_get_Authorized_quota_admin(self):
|
||||||
self._test_get_Authorized('load-balancer_quota_admin')
|
self._test_get_Authorized(['load-balancer_quota_admin'])
|
||||||
|
|
||||||
def _test_get_Authorized(self, role):
|
def _test_get_Authorized(self, roles):
|
||||||
project1_id = uuidutils.generate_uuid()
|
project1_id = uuidutils.generate_uuid()
|
||||||
quota1 = self.create_quota(
|
quota1 = self.create_quota(
|
||||||
project_id=project1_id, lb_quota=1, member_quota=1
|
project_id=project1_id, lb_quota=1, member_quota=1
|
||||||
@ -509,7 +509,7 @@ class TestQuotas(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': [role],
|
'roles': roles,
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
@ -704,7 +704,7 @@ class TestQuotas(base.BaseAPITest):
|
|||||||
'is_admin_project': True,
|
'is_admin_project': True,
|
||||||
'service_project_domain_id': None,
|
'service_project_domain_id': None,
|
||||||
'service_project_id': None,
|
'service_project_id': None,
|
||||||
'roles': ['load-balancer_member'],
|
'roles': ['load-balancer_member', 'member'],
|
||||||
'user_id': None,
|
'user_id': None,
|
||||||
'is_admin': False,
|
'is_admin': False,
|
||||||
'service_user_domain_id': None,
|
'service_user_domain_id': None,
|
||||||
|
@ -164,23 +164,20 @@ class PolicyTestCase(base.TestCase):
|
|||||||
def test_check_is_admin_fail(self):
|
def test_check_is_admin_fail(self):
|
||||||
self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
|
self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
|
||||||
|
|
||||||
# TODO(johnsom) When oslo.policy changes "enforce_new_defaults" to True
|
|
||||||
# this test will fail as "system_scope:all" will be required.
|
|
||||||
# This test and the conditional in common/policy.py can then
|
|
||||||
# be removed in favor of test_check_is_admin_new_defaults().
|
|
||||||
def test_check_is_admin(self):
|
def test_check_is_admin(self):
|
||||||
self.context = context.RequestContext('admin', project_id='fake',
|
self.context = context.RequestContext('admin', project_id='fake',
|
||||||
roles=['AdMiN'])
|
roles=['AdMiN'])
|
||||||
|
|
||||||
self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
|
self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
|
||||||
|
|
||||||
def test_check_is_admin_new_defaults(self):
|
def test_check_is_admin_with_system_scope_token(self):
|
||||||
conf = oslo_fixture.Config(config.cfg.CONF)
|
conf = oslo_fixture.Config(config.cfg.CONF)
|
||||||
conf.config(group="oslo_policy", enforce_new_defaults=True)
|
conf.config(group="oslo_policy", enforce_new_defaults=True)
|
||||||
|
conf.config(group="oslo_policy", enforce_scope=True)
|
||||||
self.context = context.RequestContext('admin', roles=['AdMiN'],
|
self.context = context.RequestContext('admin', roles=['AdMiN'],
|
||||||
system_scope='all')
|
system_scope='all')
|
||||||
|
|
||||||
self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
|
self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
|
||||||
|
|
||||||
def test_get_enforcer(self):
|
def test_get_enforcer(self):
|
||||||
self.assertTrue(isinstance(policy.get_no_context_enforcer(),
|
self.assertTrue(isinstance(policy.get_no_context_enforcer(),
|
||||||
|
Loading…
x
Reference in New Issue
Block a user