yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1611628] Re: test_admin_only_rules doesn't check an 'admin_or_owner' case correctly

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1611628@xxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Aug 2016 06:08:01 -0000
Reply-to: Bug 1611628 <1611628@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/351077
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=16a38564cb61031466bf60ac393363bfeaedbd93
Submitter: Jenkins
Branch:    master

commit 16a38564cb61031466bf60ac393363bfeaedbd93
Author: Takashi NATSUME <natsume.takashi@xxxxxxxxxxxxx>
Date:   Thu Aug 4 17:56:58 2016 +0900

    Fix server operations' policies to admin only
    
    Before the following policies were set to admin only operations
    by default.
    
    * detail:get_all_tenants
    * index:get_all_tenants
    * create:forced_host
    
    But currently they are not limited to admin users by default.
    They were changed unintentionally in
    I71b3d1233255125cb280a000b990329f5b03fdfd.
    So set them admin only again.
    And a unit test for policy is fixed.
    
    Change-Id: I1c0a4f1ff19d68152953dd6b265a7fb2e0f6271a
    Closes-Bug: #1609625
    Closes-Bug: #1609691
    Closes-Bug: #1611628


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1611628

Title:
  test_admin_only_rules doesn't check an 'admin_or_owner' case correctly

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  The test_admin_only_rules method of RealRolePolicyTestCase class in
  nova/tests/unit/test_policy.py doesn't check an 'admin_or_owner' case
  correctly.

  ----------------------------------------------------------------------------
      def test_admin_only_rules(self):
          for rule in self.admin_only_rules:
              self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
                                self.non_admin_context, rule, self.target)
              policy.authorize(self.admin_context, rule, self.target)
  ----------------------------------------------------------------------------
  https://github.com/openstack/nova/blob/3d6e72689ee18a779d70405d11e09a69183cc853/nova/tests/unit/test_policy.py#L495

  If an admin only rule in source code is changed to 'admin_or_owner' rule by mistake,
  the assertRaises statement raises a PolicyNotAuthorized exception
  because it is not that the context is non admin user but the owner is defferent.
  So the target should be set to same project of non admin context.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1611628/+subscriptions

References

[Bug 1611628] [NEW] test_admin_only_rules doesn't check an 'admin_or_owner' case correctly
From: Takashi NATSUME, 2016-08-10