Remove admin_only ext attr in favor of authz

Working on blueprint separate-nova-adminapi. This removes the admin_only extension attribute and the allow_admin_api flag. The approach we're going for now is to load all extensions, but to set an admin-only rule in our policy file for those extensions that should be limited to just admin users. Now that all of our admin api code has been moved to extensions, in order to prevent admin api code from being loaded, simply remove it from the extension list. Change-Id: Ic574e06af44922ba764013b769077fc5099fd1a2
author: Brian Waldon <bcwaldon@gmail.com> 2012-01-19 15:30:55 -0800
committer: Brian Waldon <bcwaldon@gmail.com> 2012-01-24 10:30:32 -0800
commit: 9cb5f547dc6f3242edf393928dbc14b7cbfbbdd4 (patch)
tree: 0efb27538dac20c03fd86e479d7fc3ab53ed18fc /nova/tests
parent: 3ad3292efd7fcba7b58bc9c8b1cb84e8b00a10fa (diff)
15 files changed, 48 insertions, 116 deletions
diff --git a/nova/tests/api/openstack/compute/contrib/test_accounts.py b/nova/tests/api/openstack/compute/contrib/test_accounts.py
index dbf0e2600..6b820bd57 100644
--- a/nova/tests/api/openstack/compute/contrib/test_accounts.py
+++ b/nova/tests/api/openstack/compute/contrib/test_accounts.py
@@ -29,18 +29,12 @@ def fake_init(self):
     self.manager = fakes.FakeAuthManager()
 
 
-def fake_admin_check(self, req):
-    return True
-
-
 class AccountsTest(test.TestCase):
     def setUp(self):
         super(AccountsTest, self).setUp()
-        self.flags(verbose=True, allow_admin_api=True)
+        self.flags(verbose=True)
         self.stubs.Set(accounts.Controller, '__init__',
                        fake_init)
-        self.stubs.Set(accounts.Controller, '_check_admin',
-                       fake_admin_check)
         fakes.FakeAuthManager.clear_fakes()
         fakes.FakeAuthDatabase.data = {}
         fakes.stub_out_networking(self.stubs)
diff --git a/nova/tests/api/openstack/compute/contrib/test_admin_actions.py b/nova/tests/api/openstack/compute/contrib/test_admin_actions.py
index 3878ce676..f572b12d9 100644
--- a/nova/tests/api/openstack/compute/contrib/test_admin_actions.py
+++ b/nova/tests/api/openstack/compute/contrib/test_admin_actions.py
@@ -79,7 +79,6 @@ class AdminActionsTest(test.TestCase):
         super(AdminActionsTest, self).setUp()
         self.stubs.Set(compute.API, 'get', fake_compute_api_get)
         self.UUID = utils.gen_uuid()
-        self.flags(allow_admin_api=True)
         for _method in self._methods:
             self.stubs.Set(compute.API, _method, fake_compute_api)
 
@@ -122,8 +121,9 @@ class CreateBackupTests(test.TestCase):
         self.stubs.Set(compute.API, 'get', fake_compute_api_get)
         self.backup_stubs = fakes.stub_out_compute_api_backup(self.stubs)
 
-        self.flags(allow_admin_api=True)
-        self.app = compute_api.APIRouter()
+        router = compute_api.APIRouter()
+        ext_middleware = extensions.ExtensionMiddleware(router)
+        self.app = wsgi.LazySerializationMiddleware(ext_middleware)
 
         self.uuid = utils.gen_uuid()
 
diff --git a/nova/tests/api/openstack/compute/contrib/test_cloudpipe.py b/nova/tests/api/openstack/compute/contrib/test_cloudpipe.py
index 64b206aef..27341f199 100644
--- a/nova/tests/api/openstack/compute/contrib/test_cloudpipe.py
+++ b/nova/tests/api/openstack/compute/contrib/test_cloudpipe.py
@@ -107,7 +107,6 @@ class CloudpipeTest(test.TestCase):
 
     def setUp(self):
         super(CloudpipeTest, self).setUp()
-        self.flags(allow_admin_api=True)
         self.app = fakes.wsgi_app()
         inner_app = compute.APIRouter()
         self.context = context.RequestContext('fake', 'fake', is_admin=True)
diff --git a/nova/tests/api/openstack/compute/contrib/test_deferred_delete.py b/nova/tests/api/openstack/compute/contrib/test_deferred_delete.py
index a864aa595..d02569e00 100644
--- a/nova/tests/api/openstack/compute/contrib/test_deferred_delete.py
+++ b/nova/tests/api/openstack/compute/contrib/test_deferred_delete.py
@@ -18,6 +18,7 @@
 import webob
 
 from nova.api.openstack.compute.contrib import deferred_delete
+import nova.context
 from nova import compute
 from nova import exception
 from nova import test
@@ -34,7 +35,7 @@ class DeferredDeleteExtensionTest(test.TestCase):
         self.extension = deferred_delete.DeferredDeleteController()
         self.fake_input_dict = {}
         self.fake_uuid = 'fake_uuid'
-        self.fake_context = 'fake_context'
+        self.fake_context = nova.context.RequestContext('fake', 'fake')
         self.fake_req = FakeRequest(self.fake_context)
 
     def test_force_delete(self):
diff --git a/nova/tests/api/openstack/compute/contrib/test_extendedstatus.py b/nova/tests/api/openstack/compute/contrib/test_extendedstatus.py
index dc7f0cefa..738ab8290 100644
--- a/nova/tests/api/openstack/compute/contrib/test_extendedstatus.py
+++ b/nova/tests/api/openstack/compute/contrib/test_extendedstatus.py
@@ -41,7 +41,6 @@ class ExtendedStatusTest(test.TestCase):
         self.uuid = '70f6db34-de8d-4fbd-aafb-4065bdfa6114'
         self.url = '/v2/fake/servers/%s' % self.uuid
         fakes.stub_out_nw_api(self.stubs)
-        self.flags(allow_admin_api=True)
         self.stubs.Set(compute.api.API, 'routing_get', fake_compute_get)
 
     def _make_request(self):
diff --git a/nova/tests/api/openstack/compute/contrib/test_hosts.py b/nova/tests/api/openstack/compute/contrib/test_hosts.py
index e6a91477e..af4818c90 100644
--- a/nova/tests/api/openstack/compute/contrib/test_hosts.py
+++ b/nova/tests/api/openstack/compute/contrib/test_hosts.py
@@ -94,17 +94,14 @@ class HostTestCase(test.TestCase):
         self.assertEqual(result_c2["status"], "disabled")
 
     def test_host_startup(self):
-        self.flags(allow_admin_api=True)
         result = self.controller.startup(self.req, "host_c1")
         self.assertEqual(result["power_action"], "startup")
 
     def test_host_shutdown(self):
-        self.flags(allow_admin_api=True)
         result = self.controller.shutdown(self.req, "host_c1")
         self.assertEqual(result["power_action"], "shutdown")
 
     def test_host_reboot(self):
-        self.flags(allow_admin_api=True)
         result = self.controller.reboot(self.req, "host_c1")
         self.assertEqual(result["power_action"], "reboot")
 
diff --git a/nova/tests/api/openstack/compute/contrib/test_networks.py b/nova/tests/api/openstack/compute/contrib/test_networks.py
index 0eefca652..ed928348e 100644
--- a/nova/tests/api/openstack/compute/contrib/test_networks.py
+++ b/nova/tests/api/openstack/compute/contrib/test_networks.py
@@ -92,7 +92,6 @@ class NetworksTest(test.TestCase):
 
     def setUp(self):
         super(NetworksTest, self).setUp()
-        self.flags(allow_admin_api=True)
         self.fake_network_api = FakeNetworkAPI()
         self.controller = networks.NetworkController(self.fake_network_api)
         fakes.stub_out_networking(self.stubs)
diff --git a/nova/tests/api/openstack/compute/contrib/test_server_action_list.py b/nova/tests/api/openstack/compute/contrib/test_server_action_list.py
index ffd4f744d..2a175f1dd 100644
--- a/nova/tests/api/openstack/compute/contrib/test_server_action_list.py
+++ b/nova/tests/api/openstack/compute/contrib/test_server_action_list.py
@@ -47,7 +47,6 @@ class ServerActionsTest(test.TestCase):
 
     def setUp(self):
         super(ServerActionsTest, self).setUp()
-        self.flags(allow_admin_api=True)
         self.flags(verbose=True)
         self.stubs.Set(nova.compute.API, 'get_actions', fake_get_actions)
         self.stubs.Set(nova.compute.API, 'get', fake_instance_get)
diff --git a/nova/tests/api/openstack/compute/contrib/test_server_diagnostics.py b/nova/tests/api/openstack/compute/contrib/test_server_diagnostics.py
index 688940e3d..b18b5018d 100644
--- a/nova/tests/api/openstack/compute/contrib/test_server_diagnostics.py
+++ b/nova/tests/api/openstack/compute/contrib/test_server_diagnostics.py
@@ -40,7 +40,6 @@ class ServerDiagnosticsTest(test.TestCase):
 
     def setUp(self):
         super(ServerDiagnosticsTest, self).setUp()
-        self.flags(allow_admin_api=True)
         self.flags(verbose=True)
         self.stubs.Set(nova.compute.API, 'get_diagnostics',
                        fake_get_diagnostics)
diff --git a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
index b41773824..812aac297 100644
--- a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
+++ b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
@@ -88,7 +88,6 @@ class SimpleTenantUsageTest(test.TestCase):
         self.alt_user_context = context.RequestContext('fakeadmin_0',
                                                       'faketenant_1',
                                                        is_admin=False)
-        FLAGS.allow_admin_api = True
 
     def test_verify_index(self):
         req = webob.Request.blank(
diff --git a/nova/tests/api/openstack/compute/contrib/test_users.py b/nova/tests/api/openstack/compute/contrib/test_users.py
index 5895f4f66..3dd0b3074 100644
--- a/nova/tests/api/openstack/compute/contrib/test_users.py
+++ b/nova/tests/api/openstack/compute/contrib/test_users.py
@@ -26,18 +26,12 @@ def fake_init(self):
     self.manager = fakes.FakeAuthManager()
 
 
-def fake_admin_check(self, req):
-    return True
-
-
 class UsersTest(test.TestCase):
     def setUp(self):
         super(UsersTest, self).setUp()
-        self.flags(verbose=True, allow_admin_api=True)
+        self.flags(verbose=True)
         self.stubs.Set(users.Controller, '__init__',
                        fake_init)
-        self.stubs.Set(users.Controller, '_check_admin',
-                       fake_admin_check)
         fakes.FakeAuthManager.clear_fakes()
         fakes.FakeAuthManager.projects = dict(testacct=Project('testacct',
                                                                'testacct',
diff --git a/nova/tests/api/openstack/compute/contrib/test_zones.py b/nova/tests/api/openstack/compute/contrib/test_zones.py
index e23ea85e6..9f887cb0d 100644
--- a/nova/tests/api/openstack/compute/contrib/test_zones.py
+++ b/nova/tests/api/openstack/compute/contrib/test_zones.py
@@ -95,7 +95,6 @@ def zone_select(context, specs):
 class ZonesTest(test.TestCase):
     def setUp(self):
         super(ZonesTest, self).setUp()
-        self.flags(verbose=True, allow_admin_api=True)
         fakes.stub_out_networking(self.stubs)
         fakes.stub_out_rate_limiting(self.stubs)
 
diff --git a/nova/tests/api/openstack/compute/test_extensions.py b/nova/tests/api/openstack/compute/test_extensions.py
index 796880e1f..54d0e4625 100644
--- a/nova/tests/api/openstack/compute/test_extensions.py
+++ b/nova/tests/api/openstack/compute/test_extensions.py
@@ -150,7 +150,6 @@ class ExtensionControllerTest(ExtensionTestCase):
 
     def setUp(self):
         super(ExtensionControllerTest, self).setUp()
-        self.flags(allow_admin_api=True)
         self.ext_list = [
             "Accounts",
             "AdminActions",
@@ -355,19 +354,6 @@ class InvalidExtension(object):
     alias = "THIRD"
 
 
-class AdminExtension(base_extensions.ExtensionDescriptor):
-    """Admin-only extension"""
-
-    name = "Admin Ext"
-    alias = "ADMIN"
-    namespace = "http://www.example.com/"
-    updated = "2011-01-22T13:25:27-06:00"
-    admin_only = True
-
-    def __init__(self, *args, **kwargs):
-        pass
-
-
 class ExtensionManagerTest(ExtensionTestCase):
 
     response_body = "Try to say this Mr. Knox, sir..."
@@ -388,22 +374,6 @@ class ExtensionManagerTest(ExtensionTestCase):
         self.assertTrue('FOXNSOX' in ext_mgr.extensions)
         self.assertTrue('THIRD' not in ext_mgr.extensions)
 
-    def test_admin_extensions(self):
-        self.flags(allow_admin_api=True)
-        app = compute.APIRouter()
-        ext_mgr = compute_extensions.ExtensionManager()
-        ext_mgr.register(AdminExtension())
-        self.assertTrue('FOXNSOX' in ext_mgr.extensions)
-        self.assertTrue('ADMIN' in ext_mgr.extensions)
-
-    def test_admin_extensions_no_admin_api(self):
-        self.flags(allow_admin_api=False)
-        app = compute.APIRouter()
-        ext_mgr = compute_extensions.ExtensionManager()
-        ext_mgr.register(AdminExtension())
-        self.assertTrue('FOXNSOX' in ext_mgr.extensions)
-        self.assertTrue('ADMIN' not in ext_mgr.extensions)
-
 
 class ActionExtensionTest(ExtensionTestCase):
 
diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py
index f545aeaec..c6c7fcc43 100644
--- a/nova/tests/api/openstack/compute/test_servers.py
+++ b/nova/tests/api/openstack/compute/test_servers.py
@@ -861,7 +861,6 @@ class ServersControllerTest(test.TestCase):
             return [fakes.stub_instance(100, uuid=server_uuid)]
 
         self.stubs.Set(nova.compute.API, 'get_all', fake_get_all)
-        self.flags(allow_admin_api=False)
 
         req = fakes.HTTPRequest.blank('/v2/fake/servers?image=12345')
         servers = self.controller.index(req)['servers']
@@ -878,7 +877,6 @@ class ServersControllerTest(test.TestCase):
 
         self.stubs.Set(nova.db, 'instance_get_all_by_filters',
                        fake_get_all)
-        self.flags(allow_admin_api=True)
 
         req = fakes.HTTPRequest.blank('/v2/fake/servers?tenant_id=fake',
                                       use_admin_context=True)
@@ -897,7 +895,6 @@ class ServersControllerTest(test.TestCase):
             return [fakes.stub_instance(100, uuid=server_uuid)]
 
         self.stubs.Set(nova.compute.API, 'get_all', fake_get_all)
-        self.flags(allow_admin_api=False)
 
         req = fakes.HTTPRequest.blank('/v2/fake/servers?flavor=12345')
         servers = self.controller.index(req)['servers']
@@ -915,7 +912,6 @@ class ServersControllerTest(test.TestCase):
             return [fakes.stub_instance(100, uuid=server_uuid)]
 
         self.stubs.Set(nova.compute.API, 'get_all', fake_get_all)
-        self.flags(allow_admin_api=False)
 
         req = fakes.HTTPRequest.blank('/v2/fake/servers?status=active')
         servers = self.controller.index(req)['servers']
@@ -925,8 +921,8 @@ class ServersControllerTest(test.TestCase):
 
     def test_get_servers_invalid_status(self):
         """Test getting servers by invalid status"""
-        self.flags(allow_admin_api=False)
-        req = fakes.HTTPRequest.blank('/v2/fake/servers?status=unknown')
+        req = fakes.HTTPRequest.blank('/v2/fake/servers?status=unknown',
+                                      use_admin_context=False)
         self.assertRaises(webob.exc.HTTPBadRequest, self.controller.index, req)
 
     def test_get_servers_allows_name(self):
@@ -939,7 +935,6 @@ class ServersControllerTest(test.TestCase):
             return [fakes.stub_instance(100, uuid=server_uuid)]
 
         self.stubs.Set(nova.compute.API, 'get_all', fake_get_all)
-        self.flags(allow_admin_api=False)
 
         req = fakes.HTTPRequest.blank('/v2/fake/servers?name=whee.*')
         servers = self.controller.index(req)['servers']
@@ -972,47 +967,11 @@ class ServersControllerTest(test.TestCase):
         req = fakes.HTTPRequest.blank('/v2/fake/servers?%s' % params)
         self.assertRaises(webob.exc.HTTPBadRequest, self.controller.index, req)
 
-    def test_get_servers_unknown_or_admin_options1(self):
-        """Test getting servers by admin-only or unknown options.
-        This tests when admin_api is off.  Make sure the admin and
-        unknown options are stripped before they get to
-        compute_api.get_all()
+    def test_get_servers_admin_filters_as_user(self):
+        """Test getting servers by admin-only or unknown options when
+        context is not admin. Make sure the admin and unknown options
+        are stripped before they get to compute_api.get_all()
         """
-
-        self.flags(allow_admin_api=False)
-
-        server_uuid = str(utils.gen_uuid())
-
-        def fake_get_all(compute_self, context, search_opts=None):
-            self.assertNotEqual(search_opts, None)
-            # Allowed by user
-            self.assertTrue('name' in search_opts)
-            self.assertTrue('status' in search_opts)
-            # Allowed only by admins with admin API on
-            self.assertFalse('ip' in search_opts)
-            self.assertFalse('unknown_option' in search_opts)
-            return [fakes.stub_instance(100, uuid=server_uuid)]
-
-        self.stubs.Set(nova.compute.API, 'get_all', fake_get_all)
-
-        query_str = "name=foo&ip=10.*&status=active&unknown_option=meow"
-        req = fakes.HTTPRequest.blank('/v2/fake/servers?%s' % query_str,
-                                      use_admin_context=True)
-        res = self.controller.index(req)
-
-        servers = res['servers']
-        self.assertEqual(len(servers), 1)
-        self.assertEqual(servers[0]['id'], server_uuid)
-
-    def test_get_servers_unknown_or_admin_options2(self):
-        """Test getting servers by admin-only or unknown options.
-        This tests when admin_api is on, but context is a user.
-        Make sure the admin and unknown options are stripped before
-        they get to compute_api.get_all()
-        """
-
-        self.flags(allow_admin_api=True)
-
         server_uuid = str(utils.gen_uuid())
 
         def fake_get_all(compute_self, context, search_opts=None):
@@ -1035,14 +994,10 @@ class ServersControllerTest(test.TestCase):
         self.assertEqual(len(servers), 1)
         self.assertEqual(servers[0]['id'], server_uuid)
 
-    def test_get_servers_unknown_or_admin_options3(self):
-        """Test getting servers by admin-only or unknown options.
-        This tests when admin_api is on and context is admin.
-        All options should be passed through to compute_api.get_all()
+    def test_get_servers_admin_options_as_admin(self):
+        """Test getting servers by admin-only or unknown options when
+        context is admin. All options should be passed
         """
-
-        self.flags(allow_admin_api=True)
-
         server_uuid = str(utils.gen_uuid())
 
         def fake_get_all(compute_self, context, search_opts=None):
@@ -1069,8 +1024,6 @@ class ServersControllerTest(test.TestCase):
         """Test getting servers by ip with admin_api enabled and
         admin context
         """
-        self.flags(allow_admin_api=True)
-
         server_uuid = str(utils.gen_uuid())
 
         def fake_get_all(compute_self, context, search_opts=None):
@@ -1092,8 +1045,6 @@ class ServersControllerTest(test.TestCase):
         """Test getting servers by ip6 with admin_api enabled and
         admin context
         """
-        self.flags(allow_admin_api=True)
-
         server_uuid = str(utils.gen_uuid())
 
         def fake_get_all(compute_self, context, search_opts=None):
diff --git a/nova/tests/policy.json b/nova/tests/policy.json
index 807de6921..ff30cd43d 100644
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@@ -69,6 +69,38 @@
     "compute:restore": [],
 
 
+    "compute_extension:accounts": [],
+    "compute_extension:admin_actions": [],
+    "compute_extension:cloudpipe": [],
+    "compute_extension:console_output": [],
+    "compute_extension:consoles": [],
+    "compute_extension:createserverext": [],
+    "compute_extension:deferred_delete": [],
+    "compute_extension:disk_config": [],
+    "compute_extension:extended_status": [],
+    "compute_extension:flavorextraspecs": [],
+    "compute_extension:floating_ip_dns": [],
+    "compute_extension:floating_ip_pools": [],
+    "compute_extension:floating_ips": [],
+    "compute_extension:hosts": [],
+    "compute_extension:keypairs": [],
+    "compute_extension:multinic": [],
+    "compute_extension:networks": [],
+    "compute_extension:quotas": [],
+    "compute_extension:rescue": [],
+    "compute_extension:security_groups": [],
+    "compute_extension:server_action_list": [],
+    "compute_extension:server_diagnostics": [],
+    "compute_extension:simple_tenant_usage": [],
+    "compute_extension:users": [],
+    "compute_extension:virtual_interfaces": [],
+    "compute_extension:virtual_storage_arrays": [],
+    "compute_extension:volumes": [],
+    "compute_extension:volumetypes": [],
+    "compute_extension:zones": [],
+
+
+
     "volume:create": [],
     "volume:get": [],
     "volume:get_all": [],
author	Brian Waldon <bcwaldon@gmail.com>	2012-01-19 15:30:55 -0800
committer	Brian Waldon <bcwaldon@gmail.com>	2012-01-24 10:30:32 -0800
commit	9cb5f547dc6f3242edf393928dbc14b7cbfbbdd4 (patch)
tree	0efb27538dac20c03fd86e479d7fc3ab53ed18fc /nova/tests
parent	3ad3292efd7fcba7b58bc9c8b1cb84e8b00a10fa (diff)