def setUp(self): super(ServerGroupPolicyTest, self).setUp() self.controller = server_groups.ServerGroupController() self.req = fakes.HTTPRequest.blank('') # Policy is admin_or_owner but we do not pass the project id # in policy enforcement to check the ownership. project id # is nothing but of server group for which request is made. So # let's keep it as it is and with new defaults and sceop enbled, # these can be authorized to meanigful roles. self.admin_or_owner_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.system_member_context, self.system_reader_context, self.system_foo_context, self.other_project_member_context] self.admin_or_owner_unauthorized_contexts = [ ]
def _setup_controller(self): self.controller = sg_v21.ServerGroupController()
def setUp(self): super(ServerGroupQuotasUnifiedLimitsTestV21, self).setUp() self.flags(driver='nova.quota.UnifiedLimitsDriver', group='quota') self.req = fakes.HTTPRequest.blank('') self.controller = sg_v21.ServerGroupController() self.useFixture(limit_fixture.LimitFixture({'server_groups': 10}, {}))
def setUp(self): super(ServerGroupPolicyTest, self).setUp() self.controller = server_groups.ServerGroupController() self.req = fakes.HTTPRequest.blank('') self.mock_get = self.useFixture( fixtures.MockPatch('nova.objects.InstanceGroup.get_by_uuid')).mock self.sg = [ objects.InstanceGroup(uuid=uuids.fake_id, name='fake', project_id=self.project_id, user_id='u1', policies=[], members=[]), objects.InstanceGroup(uuid=uuids.fake_id, name='fake2', project_id='proj2', user_id='u2', policies=[], members=[]) ] self.mock_get.return_value = self.sg[0] # Check that admin or and owner is able to delete # the server group. self.admin_or_owner_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context ] # Check that non-admin/owner is not able to delete # the server group. self.admin_or_owner_unauthorized_contexts = [ self.system_member_context, self.system_reader_context, self.system_foo_context, self.other_project_member_context, self.other_project_reader_context, ] # Check that system reader or owner is able to get # the server group. Due to old default everyone # is allowed to perform this operation. self.system_reader_or_owner_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.system_member_context, self.system_reader_context, self.project_foo_context ] self.system_reader_or_owner_unauthorized_contexts = [ self.system_foo_context, self.other_project_member_context, self.other_project_reader_context, ] # Check that everyone is able to list # theie own server group. Due to old defaults everyone # is able to list their server groups. self.everyone_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.system_member_context, self.system_reader_context, self.system_foo_context, self.other_project_member_context, self.other_project_reader_context, ] self.everyone_unauthorized_contexts = [] # Check that project member is able to create server group. # Due to old defaults everyone is able to list their server groups. self.project_member_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.system_member_context, self.project_reader_context, self.project_foo_context, self.system_reader_context, self.system_foo_context, self.other_project_member_context, self.other_project_reader_context, ] self.project_member_unauthorized_contexts = []
def setUp(self): super(ServerGroupPolicyTest, self).setUp() self.controller = server_groups.ServerGroupController() self.req = fakes.HTTPRequest.blank('') self.mock_get = self.useFixture( fixtures.MockPatch('nova.objects.InstanceGroup.get_by_uuid')).mock self.sg = [ objects.InstanceGroup(uuid=uuids.fake_id, name='fake', project_id=self.project_id, user_id='u1', policies=[], members=[]), objects.InstanceGroup(uuid=uuids.fake_id, name='fake2', project_id='proj2', user_id='u2', policies=[], members=[]) ] self.mock_get.return_value = self.sg[0] # With legacy rule and no scope checks, all admin, project members # project reader or project any role(because legacy rule allow SG # owner- having same project id and no role check) is able to # delete and get SG. self.project_member_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context, ] self.project_reader_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context, ] # By default, legacy rule are enabled and scope check is disabled. # system admin, legacy admin, and project admin is able to get # all projects SG. self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context ] # List SG can not check for project id so everyone is allowed. self.everyone_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context, self.other_project_reader_context, self.system_member_context, self.system_reader_context, self.system_foo_context, self.other_project_member_context ] # With legacy rule, anyone can create SG. self.project_create_authorized_contexts = ( self.everyone_authorized_contexts)