From f17ebebcf76bafb8250e84227dd244f520904072 Mon Sep 17 00:00:00 2001
From: David McNally <dave.mcnally@hp.com>
Date: Wed, 24 Oct 2012 16:39:29 +0100
Subject: Ability to specify a host restricted to admin.

Fixes bug 1070880

There is functionality in place, which uses the
format "az:host" on the --availability_zone
parameter to a create request to force scheduling
of an instance onto a specific host. However,
this is limited to users with Admin context.

This fix alters this behaviour to use a specific
policy action allowing fine-grained control over
which users have access to this functionality.

Change-Id: Ibb0e43492dfa2699ab26318736ca55a60b7b4468
---
 nova/tests/compute/test_compute.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'nova/tests')

diff --git a/nova/tests/compute/test_compute.py b/nova/tests/compute/test_compute.py
index 9abca178f..1ba90c4b8 100644
--- a/nova/tests/compute/test_compute.py
+++ b/nova/tests/compute/test_compute.py
@@ -5246,6 +5246,23 @@ class ComputePolicyTestCase(BaseTestCase):
                           self.compute_api.get_instance_faults,
                           self.context, instances)
 
+    def test_force_host_fail(self):
+        rules = {"compute:create": [],
+                 "compute:create:forced_host": [["role:fake"]]}
+        self._set_rules(rules)
+
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.compute_api.create, self.context, None, '1',
+                          availability_zone='1:1')
+
+    def test_force_host_pass(self):
+        rules = {"compute:create": [],
+                 "compute:create:forced_host": []}
+        self._set_rules(rules)
+
+        self.compute_api.create(self.context, None, '1',
+                                availability_zone='1:1')
+
 
 class ComputeHostAPITestCase(BaseTestCase):
     def setUp(self):
-- 
cgit