Merge "Introduce scope_types in baremetal node"

Author: Zuul

nova/policies/baremetal_nodes.py

@@ -23,13 +23,13 @@
 
 baremetal_nodes_policies = [
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
-        """List and show details of bare metal nodes.
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API,
+        description="""List and show details of bare metal nodes.
 
 These APIs are proxy calls to the Ironic service and are deprecated.
 """,
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/os-baremetal-nodes'
@@ -38,7 +38,8 @@
                 'method': 'GET',
                 'path': '/os-baremetal-nodes/{node_id}'
             }
-        ]),
+        ],
+        scope_types=['system']),
 ]
 
 

nova/tests/unit/policies/test_baremetal_nodes.py

@@ -88,3 +88,17 @@ class BaremetalNodesScopeTypePolicyTest(BaremetalNodesPolicyTest):
     def setUp(self):
         super(BaremetalNodesScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to get baremetal nodes.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to get
+        # baremetal nodes.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context,
+            self.other_project_reader_context
+        ]