Fix tests for oslo.policy new defaults enable by default

oslo.policy has enabled the new RBAC config options
enforce_scope and enforce_new_defaults by default[1][2].

octavia is ready with the new RBAC but we need to fix
the test and some system scope cleanup in base rules.

Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464

[1] https://review.opendev.org/c/openstack/oslo.policy/+/924283
[2] https://review.opendev.org/c/openstack/releases/+/925032

Change-Id: Ifbec670e1afa86725d2659a185f6c185abbefb16
This commit is contained in:
Ghanshyam Mann 2024-08-02 11:10:55 -07:00 committed by Michael Johnson
parent c2c5a4ce82
commit 240347fc3e
13 changed files with 56 additions and 79 deletions

View File

@ -137,9 +137,8 @@ class Policy(oslo_policy.Enforcer):
try: try:
result = self.enforce('context_is_admin', credentials, credentials) result = self.enforce('context_is_admin', credentials, credentials)
except oslo_policy.InvalidScope as e: except oslo_policy.InvalidScope as e:
# This will happen if the token being used is not system scoped # This will happen if the token being used is system scoped
# which is required for the admin roles when scope checking is # when scope checking is enabled.
# enabled.
LOG.warning(str(e)) LOG.warning(str(e))
return False return False
return result return result

View File

@ -41,20 +41,6 @@ rules = [
# OpenStack wide scoped rules # OpenStack wide scoped rules
# System scoped Administrator
policy.RuleDefault(
name='system-admin',
check_str='role:admin and '
'system_scope:all',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# System scoped Reader
policy.RuleDefault(
name='system-reader',
check_str='role:reader and '
'system_scope:all',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Project scoped Member # Project scoped Member
policy.RuleDefault( policy.RuleDefault(
name='project-member', name='project-member',
@ -85,13 +71,10 @@ rules = [
# role:load-balancer_admin # role:load-balancer_admin
# User is considered an admin for all load-balancer APIs including # User is considered an admin for all load-balancer APIs including
# resources owned by others. # resources owned by others.
# role:admin and system_scope:all
# User is admin to all service APIs, including Octavia.
policy.RuleDefault( policy.RuleDefault(
name='context_is_admin', name='context_is_admin',
check_str='role:load-balancer_admin or ' check_str='role:load-balancer_admin or '
'rule:system-admin or '
'role:admin', 'role:admin',
deprecated_rule=deprecated_context_is_admin, deprecated_rule=deprecated_context_is_admin,
scope_types=[constants.RBAC_SCOPE_PROJECT]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
@ -115,8 +98,7 @@ rules = [
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:global_observer', name='load-balancer:global_observer',
check_str='role:load-balancer_global_observer or ' check_str='role:load-balancer_global_observer',
'rule:system-reader',
scope_types=[constants.RBAC_SCOPE_PROJECT]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault( policy.RuleDefault(
@ -132,7 +114,6 @@ rules = [
name='load-balancer:admin', name='load-balancer:admin',
check_str='is_admin:True or ' check_str='is_admin:True or '
'role:load-balancer_admin or ' 'role:load-balancer_admin or '
'rule:system-admin or '
'role:admin', 'role:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]), scope_types=[constants.RBAC_SCOPE_PROJECT]),

View File

@ -214,7 +214,7 @@ class TestAvailabilityZones(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -214,7 +214,7 @@ class TestFlavors(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -308,7 +308,7 @@ class TestFlavors(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -137,7 +137,7 @@ class TestHealthMonitor(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -293,7 +293,7 @@ class TestHealthMonitor(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1258,7 +1258,7 @@ class TestHealthMonitor(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1714,7 +1714,7 @@ class TestHealthMonitor(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2064,7 +2064,7 @@ class TestHealthMonitor(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -76,7 +76,7 @@ class TestL7Policy(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -209,7 +209,7 @@ class TestL7Policy(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -685,7 +685,7 @@ class TestL7Policy(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -919,7 +919,7 @@ class TestL7Policy(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1165,7 +1165,7 @@ class TestL7Policy(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -76,7 +76,7 @@ class TestL7Rule(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -175,7 +175,7 @@ class TestL7Rule(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -542,7 +542,7 @@ class TestL7Rule(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -921,7 +921,7 @@ class TestL7Rule(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1125,7 +1125,7 @@ class TestL7Rule(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -112,7 +112,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -558,7 +558,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -976,7 +976,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2106,7 +2106,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2267,7 +2267,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2926,7 +2926,7 @@ class TestListener(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -995,7 +995,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1306,7 +1306,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1892,7 +1892,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2092,7 +2092,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2276,7 +2276,7 @@ class TestLoadBalancer(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -4008,7 +4008,7 @@ class TestLoadBalancerGraph(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -4111,7 +4111,7 @@ class TestLoadBalancerGraph(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -89,7 +89,7 @@ class TestMember(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -194,7 +194,7 @@ class TestMember(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -529,7 +529,7 @@ class TestMember(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1178,7 +1178,7 @@ class TestMember(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1360,7 +1360,7 @@ class TestMember(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -105,7 +105,7 @@ class TestPool(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -247,7 +247,7 @@ class TestPool(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -742,7 +742,7 @@ class TestPool(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -1274,7 +1274,7 @@ class TestPool(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -2102,7 +2102,7 @@ class TestPool(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -394,7 +394,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -440,7 +440,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_observer'], 'roles': ['load-balancer_observer', 'reader'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -480,18 +480,18 @@ class TestQuotas(base.BaseAPITest):
self._assert_quotas_equal(quotas, quota2) self._assert_quotas_equal(quotas, quota2)
def test_get_Authorized_member(self): def test_get_Authorized_member(self):
self._test_get_Authorized('load-balancer_member') self._test_get_Authorized(['load-balancer_member', 'member'])
def test_get_Authorized_observer(self): def test_get_Authorized_observer(self):
self._test_get_Authorized('load-balancer_observer') self._test_get_Authorized(['load-balancer_observer', 'reader'])
def test_get_Authorized_global_observer(self): def test_get_Authorized_global_observer(self):
self._test_get_Authorized('load-balancer_global_observer') self._test_get_Authorized(['load-balancer_global_observer'])
def test_get_Authorized_quota_admin(self): def test_get_Authorized_quota_admin(self):
self._test_get_Authorized('load-balancer_quota_admin') self._test_get_Authorized(['load-balancer_quota_admin'])
def _test_get_Authorized(self, role): def _test_get_Authorized(self, roles):
project1_id = uuidutils.generate_uuid() project1_id = uuidutils.generate_uuid()
quota1 = self.create_quota( quota1 = self.create_quota(
project_id=project1_id, lb_quota=1, member_quota=1 project_id=project1_id, lb_quota=1, member_quota=1
@ -509,7 +509,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': [role], 'roles': roles,
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,
@ -704,7 +704,7 @@ class TestQuotas(base.BaseAPITest):
'is_admin_project': True, 'is_admin_project': True,
'service_project_domain_id': None, 'service_project_domain_id': None,
'service_project_id': None, 'service_project_id': None,
'roles': ['load-balancer_member'], 'roles': ['load-balancer_member', 'member'],
'user_id': None, 'user_id': None,
'is_admin': False, 'is_admin': False,
'service_user_domain_id': None, 'service_user_domain_id': None,

View File

@ -164,23 +164,20 @@ class PolicyTestCase(base.TestCase):
def test_check_is_admin_fail(self): def test_check_is_admin_fail(self):
self.assertFalse(policy.get_enforcer().check_is_admin(self.context)) self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
# TODO(johnsom) When oslo.policy changes "enforce_new_defaults" to True
# this test will fail as "system_scope:all" will be required.
# This test and the conditional in common/policy.py can then
# be removed in favor of test_check_is_admin_new_defaults().
def test_check_is_admin(self): def test_check_is_admin(self):
self.context = context.RequestContext('admin', project_id='fake', self.context = context.RequestContext('admin', project_id='fake',
roles=['AdMiN']) roles=['AdMiN'])
self.assertTrue(policy.get_enforcer().check_is_admin(self.context)) self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
def test_check_is_admin_new_defaults(self): def test_check_is_admin_with_system_scope_token(self):
conf = oslo_fixture.Config(config.cfg.CONF) conf = oslo_fixture.Config(config.cfg.CONF)
conf.config(group="oslo_policy", enforce_new_defaults=True) conf.config(group="oslo_policy", enforce_new_defaults=True)
conf.config(group="oslo_policy", enforce_scope=True)
self.context = context.RequestContext('admin', roles=['AdMiN'], self.context = context.RequestContext('admin', roles=['AdMiN'],
system_scope='all') system_scope='all')
self.assertTrue(policy.get_enforcer().check_is_admin(self.context)) self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
def test_get_enforcer(self): def test_get_enforcer(self):
self.assertTrue(isinstance(policy.get_no_context_enforcer(), self.assertTrue(isinstance(policy.get_no_context_enforcer(),