Merge "Convert SYSTEM_ADMIN|READER to Admin and system scope"

Author: Zuul

nova/policies/aggregates.py

@@ -25,7 +25,7 @@
 aggregates_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'set_metadata',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Create or replace metadata for an aggregate",
         operations=[
             {
@@ -36,7 +36,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'add_host',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Add a host to an aggregate",
         operations=[
             {
@@ -47,7 +47,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Create an aggregate",
         operations=[
             {
@@ -58,7 +58,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'remove_host',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Remove a host from an aggregate",
         operations=[
             {
@@ -69,7 +69,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Update name and/or availability zone for an aggregate",
         operations=[
             {
@@ -80,7 +80,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List all aggregates",
         operations=[
             {
@@ -91,7 +91,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Delete an aggregate",
         operations=[
             {
@@ -102,7 +102,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="Show details for an aggregate",
         operations=[
             {
@@ -113,7 +113,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=NEW_POLICY_ROOT % 'images',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Request image caching for an aggregate",
         operations=[
             {

nova/policies/availability_zone.py

@@ -36,7 +36,7 @@
         scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'detail',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List detailed availability zone information with host "
         "information",
         operations=[

nova/policies/baremetal_nodes.py

@@ -38,7 +38,7 @@
 baremetal_nodes_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="""List and show details of bare metal nodes.
 
 These APIs are proxy calls to the Ironic service and are deprecated.
@@ -53,7 +53,7 @@
         deprecated_rule=DEPRECATED_BAREMETAL_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="""Show action details for a server.""",
         operations=[
             {

nova/policies/hosts.py

@@ -38,7 +38,7 @@
 hosts_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'list',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="""List physical hosts.
 
 This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -52,7 +52,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="""Show physical host.
 
 This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -66,7 +66,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="""Update physical host.
 
 This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -80,7 +80,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'reboot',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="""Reboot physical host.
 
 This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -94,7 +94,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'shutdown',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="""Shutdown physical host.
 
 This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -108,7 +108,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'start',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="""Start physical host.
 
 This API is deprecated in favor of os-hypervisors and os-services.""",

nova/policies/hypervisors.py

@@ -37,7 +37,7 @@
 hypervisors_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List all hypervisors.",
         operations=[
             {
@@ -49,7 +49,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list-detail',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List all hypervisors with details",
         operations=[
             {
@@ -61,7 +61,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'statistics',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="Show summary statistics for all hypervisors "
         "over all compute nodes.",
         operations=[
@@ -74,7 +74,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="Show details for a hypervisor.",
         operations=[
             {
@@ -86,7 +86,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'uptime',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="Show the uptime of a hypervisor.",
         operations=[
             {
@@ -98,7 +98,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'search',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="Search hypervisor by hypervisor_hostname pattern.",
         operations=[
             {
@@ -110,7 +110,7 @@
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'servers',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List all servers on hypervisors that can match "
         "the provided hypervisor_hostname pattern.",
         operations=[

nova/policies/quota_class_sets.py

@@ -24,7 +24,7 @@
 quota_class_sets_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List quotas for specific quota classs",
         operations=[
             {
@@ -35,7 +35,7 @@
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description='Update quotas for specific quota class',
         operations=[
             {

nova/policies/services.py

@@ -37,7 +37,7 @@
 services_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="List all running Compute services in a region.",
         operations=[
             {
@@ -49,7 +49,7 @@
         deprecated_rule=DEPRECATED_SERVICE_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Update a Compute service.",
         operations=[
             {
@@ -62,7 +62,7 @@
         deprecated_rule=DEPRECATED_SERVICE_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Delete a Compute service.",
         operations=[
             {

nova/tests/unit/policies/base.py

@@ -139,6 +139,8 @@ def setUp(self):
             # To simulate the new world, remove deprecations by overriding
             # rules which has the deprecated rules.
             self.rules_without_deprecation.update({
+                "context_is_admin":
+                    "role:admin",
                 "system_admin_or_owner":
                     "rule:system_admin_api or rule:project_member_api",
                 "system_or_project_reader":