[S-RBAC] Get availability zone API available for READER role

API call get_availability_zone should be available in new policies for
all users with READER role as this is kind of the same what was in the
old policies (ANY).

Closes-bug: #2016266

Change-Id: I8a99bc52bd815fb3395e902fc8f85cf5f187e288
(cherry picked from commit 6b5acb5)

Author: slawqo

neutron/conf/policies/availability_zone.py

@@ -22,7 +22,11 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='get_availability_zone',
-        check_str=base.ADMIN,
+        # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
+        # module because that is using "project_id" in the check string and the
+        # availability_zone resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
         description='List availability zones',
         operations=[
             {

neutron/tests/unit/conf/policies/test_availability_zone.py

@@ -70,12 +70,6 @@ def setUp(self):
         super(ProjectMemberTests, self).setUp()
         self.context = self.project_member_ctx
 
-    def test_get_availability_zone(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, "get_availability_zone", self.target)
-
 
 class ProjectReaderTests(ProjectMemberTests):