Add new default roles in volumes policies

gmaanos · gmaanos · commit b39712f03ed7 · 2020-07-28T15:12:02.000Z
This adds new defaults roles in volumes API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.

Partial implement blueprint policy-defaults-refresh-deprecated-apis

Change-Id: I37fa825b0e915e83da7023564a29811dcdfa058d
diff --git a/nova/api/openstack/compute/volumes.py b/nova/api/openstack/compute/volumes.py
@@ -104,7 +104,7 @@ def __init__(self):
     def show(self, req, id):
         """Return data about the given volume."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
+        context.can(vol_policies.POLICY_NAME % 'show')
 
         try:
             vol = self.volume_api.get(context, id)
@@ -119,7 +119,7 @@ def show(self, req, id):
     def delete(self, req, id):
         """Delete a volume."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
+        context.can(vol_policies.POLICY_NAME % 'delete')
 
         try:
             self.volume_api.delete(context, id)
@@ -133,19 +133,22 @@ def delete(self, req, id):
     @wsgi.expected_errors(())
     def index(self, req):
         """Returns a summary list of volumes."""
+        context = req.environ['nova.context']
+        context.can(vol_policies.POLICY_NAME % 'list')
         return self._items(req, entity_maker=_translate_volume_summary_view)
 
     @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION)
     @validation.query_schema(volumes_schema.detail_query)
     @wsgi.expected_errors(())
     def detail(self, req):
         """Returns a detailed list of volumes."""
+        context = req.environ['nova.context']
+        context.can(vol_policies.POLICY_NAME % 'detail')
         return self._items(req, entity_maker=_translate_volume_detail_view)
 
     def _items(self, req, entity_maker):
         """Returns a list of volumes, transformed through entity_maker."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
 
         volumes = self.volume_api.get_all(context)
         limited_list = common.limited(volumes, req)
@@ -158,7 +161,7 @@ def _items(self, req, entity_maker):
     def create(self, req, body):
         """Creates a new volume."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
+        context.can(vol_policies.POLICY_NAME % 'create')
 
         vol = body['volume']
 
@@ -573,7 +576,7 @@ def __init__(self):
     def show(self, req, id):
         """Return data about the given snapshot."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
+        context.can(vol_policies.POLICY_NAME % 'snapshots:show')
 
         try:
             vol = self.volume_api.get_snapshot(context, id)
@@ -588,7 +591,7 @@ def show(self, req, id):
     def delete(self, req, id):
         """Delete a snapshot."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
+        context.can(vol_policies.POLICY_NAME % 'snapshots:delete')
 
         try:
             self.volume_api.delete_snapshot(context, id)
@@ -600,19 +603,22 @@ def delete(self, req, id):
     @wsgi.expected_errors(())
     def index(self, req):
         """Returns a summary list of snapshots."""
+        context = req.environ['nova.context']
+        context.can(vol_policies.POLICY_NAME % 'snapshots:list')
         return self._items(req, entity_maker=_translate_snapshot_summary_view)
 
     @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION)
     @validation.query_schema(volumes_schema.detail_query)
     @wsgi.expected_errors(())
     def detail(self, req):
         """Returns a detailed list of snapshots."""
+        context = req.environ['nova.context']
+        context.can(vol_policies.POLICY_NAME % 'snapshots:detail')
         return self._items(req, entity_maker=_translate_snapshot_detail_view)
 
     def _items(self, req, entity_maker):
         """Returns a list of snapshots, transformed through entity_maker."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
 
         snapshots = self.volume_api.get_all_snapshots(context)
         limited_list = common.limited(snapshots, req)
@@ -625,7 +631,7 @@ def _items(self, req, entity_maker):
     def create(self, req, body):
         """Creates a new snapshot."""
         context = req.environ['nova.context']
-        context.can(vol_policies.BASE_POLICY_NAME)
+        context.can(vol_policies.POLICY_NAME % 'snapshots:create')
 
         snapshot = body['snapshot']
         volume_id = snapshot['volume_id']
diff --git a/nova/policies/volumes.py b/nova/policies/volumes.py
@@ -19,61 +19,181 @@
 
 
 BASE_POLICY_NAME = 'os_compute_api:os-volumes'
+POLICY_NAME = 'os_compute_api:os-volumes:%s'
+
+DEPRECATED_POLICY = policy.DeprecatedRule(
+    BASE_POLICY_NAME,
+    base.RULE_ADMIN_OR_OWNER,
+)
+
+DEPRECATED_REASON = """
+Nova API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in nova 23.0.0 release.
+"""
 
 
 volumes_policies = [
     policy.DocumentedRuleDefault(
-        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
-        description="""Manage volumes for use with the Compute API.
-
-Lists, shows details, creates, and deletes volumes and
-snapshots. These APIs are proxy calls to the Volume service.
-These are all deprecated.
-""",
+        name=POLICY_NAME % 'list',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="""List volumes.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
        operations=[
            {
                'method': 'GET',
                'path': '/os-volumes'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'create',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="""Create volume.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'POST',
                'path': '/os-volumes'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'detail',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="""List volumes detail.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'GET',
                'path': '/os-volumes/detail'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'show',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="""Show volume.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'GET',
                'path': '/os-volumes/{volume_id}'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'delete',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="""Delete volume.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'DELETE',
                'path': '/os-volumes/{volume_id}'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'snapshots:list',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="""List snapshots.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'GET',
                'path': '/os-snapshots'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'snapshots:create',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="""Create snapshots.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'POST',
                'path': '/os-snapshots'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+            name=POLICY_NAME % 'snapshots:detail',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="""List snapshots details.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'GET',
                'path': '/os-snapshots/detail'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'snapshots:show',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="""Show snapshot.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'GET',
                'path': '/os-snapshots/{snapshot_id}'
            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'snapshots:delete',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="""Delete snapshot.
+
+This API is a proxy call to the Volume service. It is deprecated.""",
+       operations=[
            {
                'method': 'DELETE',
                'path': '/os-snapshots/{snapshot_id}'
            }
       ],
-      scope_types=['system', 'project']),
+      scope_types=['system', 'project'],
+      deprecated_rule=DEPRECATED_POLICY,
+      deprecated_reason=DEPRECATED_REASON,
+      deprecated_since='22.0.0'),
 ]
 
 
diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py
@@ -160,7 +160,16 @@
     "os_compute_api:os-shelve:unshelve": "",
     "os_compute_api:os-suspend-server:suspend": "",
     "os_compute_api:os-suspend-server:resume": "",
-    "os_compute_api:os-volumes": "",
+    "os_compute_api:os-volumes:list": "",
+    "os_compute_api:os-volumes:detail": "",
+    "os_compute_api:os-volumes:create": "",
+    "os_compute_api:os-volumes:show": "",
+    "os_compute_api:os-volumes:delete": "",
+    "os_compute_api:os-volumes:snapshots:create": "",
+    "os_compute_api:os-volumes:snapshots:show": "",
+    "os_compute_api:os-volumes:snapshots:delete": "",
+    "os_compute_api:os-volumes:snapshots:list": "",
+    "os_compute_api:os-volumes:snapshots:detail": "",
     "os_compute_api:os-volumes-attachments:index": "",
     "os_compute_api:os-volumes-attachments:show": "",
     "os_compute_api:os-volumes-attachments:create": "",
diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
@@ -445,7 +445,10 @@ def setUp(self):
 "os_compute_api:os-server-groups:delete",
 "os_compute_api:os-shelve:shelve",
 "os_compute_api:os-shelve:unshelve",
-"os_compute_api:os-volumes",
+"os_compute_api:os-volumes:create",
+"os_compute_api:os-volumes:delete",
+"os_compute_api:os-volumes:snapshots:create",
+"os_compute_api:os-volumes:snapshots:delete",
 "os_compute_api:os-volumes-attachments:create",
 "os_compute_api:os-volumes-attachments:delete",
 "os_compute_api:os-volumes-attachments:update",
@@ -489,6 +492,12 @@ def setUp(self):
 "os_compute_api:os-server-password:show",
 "os_compute_api:os-server-tags:index",
 "os_compute_api:os-server-tags:show",
+"os_compute_api:os-volumes:list",
+"os_compute_api:os-volumes:detail",
+"os_compute_api:os-volumes:show",
+"os_compute_api:os-volumes:snapshots:show",
+"os_compute_api:os-volumes:snapshots:list",
+"os_compute_api:os-volumes:snapshots:detail",
 )
 
         self.allow_nobody_rules = (
