Merge "Introduce scope_types in server external events"

2020-04-06 13:13:10 +00:00 · 2020-04-06 13:13:10 +00:00 · c2bd895c6b
commit c2bd895c6b
parent 4a63a43a60 85fca8e94c
2 changed files with 20 additions and 5 deletions
--- a/nova/policies/server_external_events.py
+++ b/nova/policies/server_external_events.py
@ -23,15 +23,16 @@ POLICY_ROOT = 'os_compute_api:os-server-external-events:%s'

 server_external_events_policies = [
    policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'create',
-        base.RULE_ADMIN_API,
-        "Create one or more external events",
-        [
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_API,
+        description="Create one or more external events",
+        operations=[
            {
                'method': 'POST',
                'path': '/os-server-external-events'
            }
-        ]),
+        ],
+        scope_types=['system']),
 ]


--- a/nova/tests/unit/policies/test_server_external_events.py
+++ b/nova/tests/unit/policies/test_server_external_events.py
@ -77,3 +77,17 @@ class ServerExternalEventsScopeTypePolicyTest(ServerExternalEventsPolicyTest):
    def setUp(self):
        super(ServerExternalEventsScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that admin is able to create the server external events.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+        ]
+        # Check that non-admin is not able to create the server
+        # external events.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]