Fix cluster template default policy

vagrant · waipeng · commit 8ca92e6d70bc · 2021-09-20T09:37:14.000+10:00
In Change I643d408cde0d6e30812cf6429fb7118184793400 a bunch of actions
were changed from

 is_admin:True or project_id:%(project_id)s

to

 rule:deny_cluster_user

Which means that those actions are not verifying that the project ID of
a token matches the project ID of the resource. This only seems to work
for resources that a user can otherwise see.

As public cluster templates can be seen by a user, a user is hence able
to delete a CT.

Fix it so that CT can only be modifiable or deletable by admin or
owner.

Story: 2008824
Task: 42289
Change-Id: I6dec817725338387a614f83e85a5f1f2814b020e
diff --git a/magnum/common/policies/cluster_template.py b/magnum/common/policies/cluster_template.py
@@ -31,7 +31,7 @@
     ),
     policy.DocumentedRuleDefault(
         name=CLUSTER_TEMPLATE % 'delete',
-        check_str=base.RULE_DENY_CLUSTER_USER,
+        check_str=base.RULE_ADMIN_OR_OWNER,
         description='Delete a cluster template.',
         operations=[
             {
@@ -121,7 +121,7 @@
     ),
     policy.DocumentedRuleDefault(
         name=CLUSTER_TEMPLATE % 'update',
-        check_str=base.RULE_DENY_CLUSTER_USER,
+        check_str=base.RULE_ADMIN_OR_OWNER,
         description='Update an existing cluster template.',
         operations=[
             {
