def setUp(self):
super(ServerGroupPolicyTest, self).setUp()
self.controller = server_groups.ServerGroupController()
self.req = fakes.HTTPRequest.blank('')
# Policy is admin_or_owner but we do not pass the project id
# in policy enforcement to check the ownership. project id
# is nothing but of server group for which request is made. So
# let's keep it as it is and with new defaults and sceop enbled,
# these can be authorized to meanigful roles.
self.admin_or_owner_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.system_member_context, self.system_reader_context,
self.system_foo_context,
self.other_project_member_context]
self.admin_or_owner_unauthorized_contexts = [
]
def _setup_controller(self):
self.controller = sg_v21.ServerGroupController()
def setUp(self):
super(ServerGroupQuotasUnifiedLimitsTestV21, self).setUp()
self.flags(driver='nova.quota.UnifiedLimitsDriver', group='quota')
self.req = fakes.HTTPRequest.blank('')
self.controller = sg_v21.ServerGroupController()
self.useFixture(limit_fixture.LimitFixture({'server_groups': 10}, {}))
def setUp(self):
super(ServerGroupPolicyTest, self).setUp()
self.controller = server_groups.ServerGroupController()
self.req = fakes.HTTPRequest.blank('')
self.mock_get = self.useFixture(
fixtures.MockPatch('nova.objects.InstanceGroup.get_by_uuid')).mock
self.sg = [
objects.InstanceGroup(uuid=uuids.fake_id,
name='fake',
project_id=self.project_id,
user_id='u1',
policies=[],
members=[]),
objects.InstanceGroup(uuid=uuids.fake_id,
name='fake2',
project_id='proj2',
user_id='u2',
policies=[],
members=[])
]
self.mock_get.return_value = self.sg[0]
# Check that admin or and owner is able to delete
# the server group.
self.admin_or_owner_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context
]
# Check that non-admin/owner is not able to delete
# the server group.
self.admin_or_owner_unauthorized_contexts = [
self.system_member_context,
self.system_reader_context,
self.system_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
# Check that system reader or owner is able to get
# the server group. Due to old default everyone
# is allowed to perform this operation.
self.system_reader_or_owner_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.system_member_context,
self.system_reader_context, self.project_foo_context
]
self.system_reader_or_owner_unauthorized_contexts = [
self.system_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
# Check that everyone is able to list
# theie own server group. Due to old defaults everyone
# is able to list their server groups.
self.everyone_authorized_contexts = [
self.legacy_admin_context,
self.system_admin_context,
self.project_admin_context,
self.project_member_context,
self.project_reader_context,
self.project_foo_context,
self.system_member_context,
self.system_reader_context,
self.system_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
self.everyone_unauthorized_contexts = []
# Check that project member is able to create server group.
# Due to old defaults everyone is able to list their server groups.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.system_admin_context,
self.project_admin_context,
self.project_member_context,
self.system_member_context,
self.project_reader_context,
self.project_foo_context,
self.system_reader_context,
self.system_foo_context,
self.other_project_member_context,
self.other_project_reader_context,
]
self.project_member_unauthorized_contexts = []
def setUp(self):
super(ServerGroupPolicyTest, self).setUp()
self.controller = server_groups.ServerGroupController()
self.req = fakes.HTTPRequest.blank('')
self.mock_get = self.useFixture(
fixtures.MockPatch('nova.objects.InstanceGroup.get_by_uuid')).mock
self.sg = [
objects.InstanceGroup(uuid=uuids.fake_id,
name='fake',
project_id=self.project_id,
user_id='u1',
policies=[],
members=[]),
objects.InstanceGroup(uuid=uuids.fake_id,
name='fake2',
project_id='proj2',
user_id='u2',
policies=[],
members=[])
]
self.mock_get.return_value = self.sg[0]
# With legacy rule and no scope checks, all admin, project members
# project reader or project any role(because legacy rule allow SG
# owner- having same project id and no role check) is able to
# delete and get SG.
self.project_member_authorized_contexts = [
self.legacy_admin_context,
self.system_admin_context,
self.project_admin_context,
self.project_member_context,
self.project_reader_context,
self.project_foo_context,
]
self.project_reader_authorized_contexts = [
self.legacy_admin_context,
self.system_admin_context,
self.project_admin_context,
self.project_member_context,
self.project_reader_context,
self.project_foo_context,
]
# By default, legacy rule are enabled and scope check is disabled.
# system admin, legacy admin, and project admin is able to get
# all projects SG.
self.project_admin_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context
]
# List SG can not check for project id so everyone is allowed.
self.everyone_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context,
self.other_project_reader_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.other_project_member_context
]
# With legacy rule, anyone can create SG.
self.project_create_authorized_contexts = (
self.everyone_authorized_contexts)
