nscaledev · spjmurray · Sep 4, 2024 · Sep 4, 2024
diff --git a/unikorn_openstack_policy/base.py b/unikorn_openstack_policy/base.py
@@ -27,16 +27,16 @@
     # The domain manager has the role 'manager', as defined by
     # https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/
     policy.RuleDefault(
-        name='is_domain_manager',
+        name='is_manager',
         check_str='role:manager',
         description='Rule for manager access',
     ),
 
     # A common helper to define that the user is a manager and the resource
     # target is in the same domain as the user is scoped to.
     policy.RuleDefault(
-        name='is_project_manager_owner',
-        check_str='rule:is_domain_manager and project_id:%(project_id)s',
+        name='is_project_manager',
+        check_str='rule:is_manager and project_id:%(project_id)s',
         description='Rule for domain manager ownership',
     ),
 ]

diff --git a/unikorn_openstack_policy/compute.py b/unikorn_openstack_policy/compute.py
@@ -28,7 +28,7 @@
     # or it won't we able to fulfill any cluster creation requests.
     policy.RuleDefault(
         name='os_compute_api:os-quota-sets:update',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Update the quotas',
     )
 ]

diff --git a/unikorn_openstack_policy/network.py b/unikorn_openstack_policy/network.py
@@ -30,34 +30,41 @@
     # allow provider networks, if the prior rule changes, then we can open up a security hole.
     policy.RuleDefault(
         name='create_network',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Create a network',
     ),
     policy.RuleDefault(
         name='delete_network',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Delete a network',
     ),
     policy.RuleDefault(
         name='create_network:segments',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Specify ``segments`` attribute when creating a network',
     ),
     policy.RuleDefault(
         name='create_network:provider:network_type',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Specify ``provider:network_type`` when creating a network',
     ),
     policy.RuleDefault(
         name='create_network:provider:physical_network',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Specify ``provider:physical_network`` when creating a network',
     ),
     policy.RuleDefault(
         name='create_network:provider:segmentation_id',
-        check_str='rule:is_project_manager_owner',
+        check_str='rule:is_project_manager',
         description='Specify ``provider:segmentation_id`` when creating a network',
     ),
+
+    # The domain manager can update quotas.
+    policy.RuleDefault(
+        name='update_quota',
+        check_str='rule:is_project_manager',
+        description='Update a resource quota',
+    )
 ]
 
 

diff --git a/unikorn_openstack_policy/tests/test_network.py b/unikorn_openstack_policy/tests/test_network.py
@@ -72,6 +72,11 @@ def test_delete_network(self):
         self.assertTrue(self.enforce('delete_network', self.target, self.context))
         self.assertTrue(self.enforce('delete_network', self.alt_target, self.context))
 
+    def test_update_quotas(self):
+        """Admin can update quotas"""
+        self.assertTrue(self.enforce('update_quota', self.target, self.context))
+        self.assertTrue(self.enforce('update_quota', self.alt_target, self.context))
+
 
 class DomainAdminNetworkPolicyTests(ProjectAdminNetworkPolicyTests):
     """
@@ -140,13 +145,21 @@ def test_create_network_provider_segmentation_id(self):
                 'create_network:provider:segmentation_id', self.alt_target, self.context)
 
     def test_delete_network(self):
-        """Project manager cannot create networks"""
+        """Project manager can create networks"""
         self.assertTrue(self.enforce('delete_network', self.target, self.context))
         self.assertRaises(
                 policy.PolicyNotAuthorized,
                 self.enforce,
                 'delete_network', self.alt_target, self.context)
 
+    def test_update_quotas(self):
+        """Project manager can update quotas"""
+        self.assertTrue(self.enforce('update_quota', self.target, self.context))
+        self.assertRaises(
+            policy.PolicyNotAuthorized,
+            self.enforce,
+            'update_quota', self.alt_target, self.context)
+
 
 class DomainManagerNetworkPolicyTests(base.PolicyTestsBase):
     """
@@ -224,6 +237,17 @@ def test_delete_network(self):
                 self.enforce,
                 'delete_network', self.alt_target, self.context)
 
+    def test_update_quotas(self):
+        """Domain manager cannot update quotas"""
+        self.assertRaises(
+            policy.PolicyNotAuthorized,
+            self.enforce,
+            'update_quota', self.target, self.context)
+        self.assertRaises(
+            policy.PolicyNotAuthorized,
+            self.enforce,
+            'update_quota', self.alt_target, self.context)
+
 
 class ProjectMemberNetworkPolicyTests(base.PolicyTestsBase):
     """
@@ -279,6 +303,13 @@ def test_delete_network(self):
                 self.enforce,
                 'delete_network', self.alt_target, self.context)
 
+    def test_update_quotas(self):
+        """Project member cannot update quotas"""
+        self.assertRaises(
+            policy.PolicyNotAuthorized,
+            self.enforce,
+            'update_quota', self.target, self.context)
+
 
 class DomainMemberNetworkPolicyTests(base.PolicyTestsBase):
     """
@@ -326,10 +357,17 @@ def test_create_network_provider_segmentation_id(self):
                 'create_network:provider:segmentation_id', self.target, self.context)
 
     def test_delete_network(self):
-        """Project member can delete networks"""
+        """Domain member cannot delete networks"""
         self.assertRaises(
                 policy.PolicyNotAuthorized,
                 self.enforce,
                 'delete_network', self.target, self.context)
 
+    def test_update_quotas(self):
+        """Domain member cannot update quotas"""
+        self.assertRaises(
+            policy.PolicyNotAuthorized,
+            self.enforce,
+            'update_quota', self.target, self.context)
+
 # vi: ts=4 et: