stackhpc
diff --git a/‎glance/policies/base.py‎
Lines changed: 3 additions & 10 deletions b/‎glance/policies/base.py‎
Lines changed: 3 additions & 10 deletions
diff --git a/‎glance/policies/discovery.py‎
Lines changed: 1 addition & 1 deletion b/‎glance/policies/discovery.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎glance/policies/image.py‎
Lines changed: 23 additions & 27 deletions b/‎glance/policies/image.py‎
Lines changed: 23 additions & 27 deletions
@@ -54,16 +54,9 @@
 #
 # These check strings do not support tenancy with the `admin` role. This means
 # anyone with the `admin` role on any project can execute a policy, which is
-# typical in OpenStack services. Eventually, these check strings will be
-# superseded by check strings that implement scope checking and system-scope
-# for applicable APIs (e.g., making an image public). But, we have a lot of
-# cleanup to do in different parts of glance to sweep all the authorization
-# code into a single layer before we can safely consume system-scope and
-# implement scope checking. This refactoring also needs significant API testing
-# to ensure we don't leave doors open to unintended users, or expose
-# authoritative regressions. In the mean time, we can use the following check
-# strings to offer formal support for project membership and a read-only
-# variant consistent with other OpenStack services.
+# typical in OpenStack services. But following check strings offer formal
+# support for project membership and a read-only variant consistent with
+# other OpenStack services.
 ADMIN_OR_PROJECT_MEMBER = f'role:admin or ({PROJECT_MEMBER})'
 ADMIN_OR_PROJECT_READER = f'role:admin or ({PROJECT_READER})'
 ADMIN_OR_PROJECT_READER_GET_IMAGE = (
 
@@ -19,7 +19,7 @@
     policy.DocumentedRuleDefault(
         name="stores_info_detail",
         check_str='role:admin',
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Expose store specific information',
         operations=[
             {'path': '/v2/info/stores/detail',
 
@@ -24,7 +24,7 @@
     policy.DocumentedRuleDefault(
         name="add_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Create new image',
         operations=[
             {'path': '/v2/images',
@@ -38,7 +38,7 @@
     policy.DocumentedRuleDefault(
         name="delete_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Deletes the image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -52,7 +52,7 @@
     policy.DocumentedRuleDefault(
         name="get_image",
         check_str=base.ADMIN_OR_PROJECT_READER_GET_IMAGE,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Get specified image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -66,7 +66,7 @@
     policy.DocumentedRuleDefault(
         name="get_images",
         check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Get all available images',
         operations=[
             {'path': '/v2/images',
@@ -80,7 +80,7 @@
     policy.DocumentedRuleDefault(
         name="modify_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Updates given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -94,7 +94,7 @@
     policy.DocumentedRuleDefault(
         name="publicize_image",
         check_str='role:admin',
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Publicize given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -104,7 +104,7 @@
     policy.DocumentedRuleDefault(
         name="communitize_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Communitize given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -119,7 +119,7 @@
     policy.DocumentedRuleDefault(
         name="download_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Downloads given image',
         operations=[
             {'path': '/v2/images/{image_id}/file',
@@ -133,7 +133,7 @@
     policy.DocumentedRuleDefault(
         name="upload_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Uploads data to specified image',
         operations=[
             {'path': '/v2/images/{image_id}/file',
@@ -148,7 +148,7 @@
     policy.DocumentedRuleDefault(
         name="delete_image_location",
         check_str="role:admin",
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Deletes the location of given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -162,7 +162,7 @@
     policy.DocumentedRuleDefault(
         name="get_image_location",
         check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Reads the location of the image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -176,7 +176,7 @@
     policy.DocumentedRuleDefault(
         name="set_image_location",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Sets location URI to given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -191,7 +191,7 @@
     policy.DocumentedRuleDefault(
         name="add_member",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Create image member',
         operations=[
             {'path': '/v2/images/{image_id}/members',
@@ -205,7 +205,7 @@
     policy.DocumentedRuleDefault(
         name="delete_member",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Delete image member',
         operations=[
             {'path': '/v2/images/{image_id}/members/{member_id}',
@@ -219,7 +219,7 @@
     policy.DocumentedRuleDefault(
         name="get_member",
         check_str=base.ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Show image member details',
         operations=[
             {'path': '/v2/images/{image_id}/members/{member_id}',
@@ -233,7 +233,7 @@
     policy.DocumentedRuleDefault(
         name="get_members",
         check_str=base.ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='List image members',
         operations=[
             {'path': '/v2/images/{image_id}/members',
@@ -247,7 +247,7 @@
     policy.DocumentedRuleDefault(
         name="modify_member",
         check_str=base.ADMIN_OR_SHARED_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Update image member',
         operations=[
             {'path': '/v2/images/{image_id}/members/{member_id}',
@@ -262,17 +262,14 @@
     policy.RuleDefault(
         name="manage_image_cache",
         check_str='role:admin',
-        # NOTE(lbragstad): Remove 'project' from the list below when glance
-        # fully supports system-scope and this policy is updated to reflect
-        # that in the check string.
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Manage image cache'
     ),
 
     policy.DocumentedRuleDefault(
         name="deactivate",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Deactivate image',
         operations=[
             {'path': '/v2/images/{image_id}/actions/deactivate',
@@ -286,7 +283,7 @@
     policy.DocumentedRuleDefault(
         name="reactivate",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Reactivate image',
         operations=[
             {'path': '/v2/images/{image_id}/actions/reactivate',
@@ -301,11 +298,10 @@
     policy.DocumentedRuleDefault(
         name="copy_image",
         check_str='role:admin',
-        # Eventually, we need to make sure we update the check string here to
-        # be scope-aware, but for now this is restricted to system-admins and
-        # project-admins. That might change in the future if we decide to push
+        # For now this is restricted to project-admins.
+        # That might change in the future if we decide to push
         # this functionality down to project-members.
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Copy existing image to other stores',
         operations=[
             {'path': '/v2/images/{image_id}/import',