Add rule for list_groups_for_user in policy.json

Providing an initial policy rule for the list_groups_for_user operation in the sample policy.json file for the ease of configuration. Fixes bug #1167836 Change-Id: Id253729098a95d3b129babde1b3706f409a095dd
openstack · Apr 23, 2013 · 50073c5 · 50073c5
1 parent cbac771
commit 50073c5
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/etc/policy.json b/etc/policy.json
@@ -38,6 +38,7 @@
 
     "identity:get_group": [["rule:admin_required"]],
     "identity:list_groups": [["rule:admin_required"]],
+    "identity:list_groups_for_user": [["rule:admin_or_owner"]],
     "identity:create_group": [["rule:admin_required"]],
     "identity:update_group": [["rule:admin_required"]],
     "identity:delete_group": [["rule:admin_required"]],

diff --git a/tests/test_v3_identity.py b/tests/test_v3_identity.py
@@ -349,6 +349,43 @@ def test_add_user_to_group(self):
         self.put('/groups/%(group_id)s/users/%(user_id)s' % {
             'group_id': self.group_id, 'user_id': self.user['id']})
 
+    def test_list_groups_for_user(self):
+        """GET /users/{user_id}/groups"""
+
+        self.user1 = self.new_user_ref(
+            domain_id=self.domain['id'])
+        self.user1['password'] = uuid.uuid4().hex
+        self.identity_api.create_user(self.user1['id'], self.user1)
+        self.user2 = self.new_user_ref(
+            domain_id=self.domain['id'])
+        self.user2['password'] = uuid.uuid4().hex
+        self.identity_api.create_user(self.user1['id'], self.user2)
+        self.put('/groups/%(group_id)s/users/%(user_id)s' % {
+            'group_id': self.group_id, 'user_id': self.user1['id']})
+
+        #Scenarios below are written to test the default policy configuration
+
+        #One should be allowed to list one's own groups
+        auth = self.build_authentication_request(
+            user_id=self.user1['id'],
+            password=self.user1['password'])
+        r = self.get('/users/%(user_id)s/groups' % {
+            'user_id': self.user1['id']}, auth=auth)
+        self.assertValidGroupListResponse(r, ref=self.group)
+
+        #Administrator is allowed to list others' groups
+        r = self.get('/users/%(user_id)s/groups' % {
+            'user_id': self.user1['id']})
+        self.assertValidGroupListResponse(r, ref=self.group)
+
+        #Ordinary users should not be allowed to list other's groups
+        auth = self.build_authentication_request(
+            user_id=self.user2['id'],
+            password=self.user2['password'])
+        r = self.get('/users/%(user_id)s/groups' % {
+            'user_id': self.user1['id']}, auth=auth,
+            expected_status=exception.ForbiddenAction.code)
+
     def test_check_user_in_group(self):
         """HEAD /groups/{group_id}/users/{user_id}"""
         self.put('/groups/%(group_id)s/users/%(user_id)s' % {