diff --git a/unikorn_openstack_policy/base.py b/unikorn_openstack_policy/base.py index 8209b9c..930f928 100644 --- a/unikorn_openstack_policy/base.py +++ b/unikorn_openstack_policy/base.py @@ -27,7 +27,7 @@ # The domain manager has the role 'manager', as defined by # https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/ policy.RuleDefault( - name='is_domain_manager', + name='is_manager', check_str='role:manager', description='Rule for manager access', ), @@ -35,8 +35,8 @@ # A common helper to define that the user is a manager and the resource # target is in the same domain as the user is scoped to. policy.RuleDefault( - name='is_project_manager_owner', - check_str='rule:is_domain_manager and project_id:%(project_id)s', + name='is_project_manager', + check_str='rule:is_manager and project_id:%(project_id)s', description='Rule for domain manager ownership', ), ] diff --git a/unikorn_openstack_policy/compute.py b/unikorn_openstack_policy/compute.py index bf0dbd3..3ee71af 100644 --- a/unikorn_openstack_policy/compute.py +++ b/unikorn_openstack_policy/compute.py @@ -28,7 +28,7 @@ # or it won't we able to fulfill any cluster creation requests. policy.RuleDefault( name='os_compute_api:os-quota-sets:update', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Update the quotas', ) ] diff --git a/unikorn_openstack_policy/network.py b/unikorn_openstack_policy/network.py index c9cf735..ddab895 100644 --- a/unikorn_openstack_policy/network.py +++ b/unikorn_openstack_policy/network.py @@ -30,34 +30,41 @@ # allow provider networks, if the prior rule changes, then we can open up a security hole. policy.RuleDefault( name='create_network', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Create a network', ), policy.RuleDefault( name='delete_network', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Delete a network', ), policy.RuleDefault( name='create_network:segments', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Specify ``segments`` attribute when creating a network', ), policy.RuleDefault( name='create_network:provider:network_type', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Specify ``provider:network_type`` when creating a network', ), policy.RuleDefault( name='create_network:provider:physical_network', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Specify ``provider:physical_network`` when creating a network', ), policy.RuleDefault( name='create_network:provider:segmentation_id', - check_str='rule:is_project_manager_owner', + check_str='rule:is_project_manager', description='Specify ``provider:segmentation_id`` when creating a network', ), + + # The domain manager can update quotas. + policy.RuleDefault( + name='update_quota', + check_str='rule:is_project_manager', + description='Update a resource quota', + ) ] diff --git a/unikorn_openstack_policy/tests/test_network.py b/unikorn_openstack_policy/tests/test_network.py index d32b2ea..a32dfd7 100644 --- a/unikorn_openstack_policy/tests/test_network.py +++ b/unikorn_openstack_policy/tests/test_network.py @@ -72,6 +72,11 @@ def test_delete_network(self): self.assertTrue(self.enforce('delete_network', self.target, self.context)) self.assertTrue(self.enforce('delete_network', self.alt_target, self.context)) + def test_update_quotas(self): + """Admin can update quotas""" + self.assertTrue(self.enforce('update_quota', self.target, self.context)) + self.assertTrue(self.enforce('update_quota', self.alt_target, self.context)) + class DomainAdminNetworkPolicyTests(ProjectAdminNetworkPolicyTests): """ @@ -140,13 +145,21 @@ def test_create_network_provider_segmentation_id(self): 'create_network:provider:segmentation_id', self.alt_target, self.context) def test_delete_network(self): - """Project manager cannot create networks""" + """Project manager can create networks""" self.assertTrue(self.enforce('delete_network', self.target, self.context)) self.assertRaises( policy.PolicyNotAuthorized, self.enforce, 'delete_network', self.alt_target, self.context) + def test_update_quotas(self): + """Project manager can update quotas""" + self.assertTrue(self.enforce('update_quota', self.target, self.context)) + self.assertRaises( + policy.PolicyNotAuthorized, + self.enforce, + 'update_quota', self.alt_target, self.context) + class DomainManagerNetworkPolicyTests(base.PolicyTestsBase): """ @@ -224,6 +237,17 @@ def test_delete_network(self): self.enforce, 'delete_network', self.alt_target, self.context) + def test_update_quotas(self): + """Domain manager cannot update quotas""" + self.assertRaises( + policy.PolicyNotAuthorized, + self.enforce, + 'update_quota', self.target, self.context) + self.assertRaises( + policy.PolicyNotAuthorized, + self.enforce, + 'update_quota', self.alt_target, self.context) + class ProjectMemberNetworkPolicyTests(base.PolicyTestsBase): """ @@ -279,6 +303,13 @@ def test_delete_network(self): self.enforce, 'delete_network', self.alt_target, self.context) + def test_update_quotas(self): + """Project member cannot update quotas""" + self.assertRaises( + policy.PolicyNotAuthorized, + self.enforce, + 'update_quota', self.target, self.context) + class DomainMemberNetworkPolicyTests(base.PolicyTestsBase): """ @@ -326,10 +357,17 @@ def test_create_network_provider_segmentation_id(self): 'create_network:provider:segmentation_id', self.target, self.context) def test_delete_network(self): - """Project member can delete networks""" + """Domain member cannot delete networks""" self.assertRaises( policy.PolicyNotAuthorized, self.enforce, 'delete_network', self.target, self.context) + def test_update_quotas(self): + """Domain member cannot update quotas""" + self.assertRaises( + policy.PolicyNotAuthorized, + self.enforce, + 'update_quota', self.target, self.context) + # vi: ts=4 et: