stackhpc
diff --git a/‎nova/api/openstack/compute/shelve.py‎
Lines changed: 4 additions & 2 deletions b/‎nova/api/openstack/compute/shelve.py‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎nova/policies/admin_actions.py‎
Lines changed: 4 additions & 4 deletions b/‎nova/policies/admin_actions.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎nova/policies/admin_password.py‎
Lines changed: 2 additions & 2 deletions b/‎nova/policies/admin_password.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎nova/policies/evacuate.py‎
Lines changed: 2 additions & 2 deletions b/‎nova/policies/evacuate.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎nova/policies/lock_server.py‎
Lines changed: 6 additions & 6 deletions b/‎nova/policies/lock_server.py‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎nova/policies/multinic.py‎
Lines changed: 4 additions & 4 deletions b/‎nova/policies/multinic.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎nova/policies/pause_server.py‎
Lines changed: 4 additions & 4 deletions b/‎nova/policies/pause_server.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎nova/policies/remote_consoles.py‎
Lines changed: 2 additions & 2 deletions b/‎nova/policies/remote_consoles.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎nova/policies/rescue.py‎
Lines changed: 4 additions & 4 deletions b/‎nova/policies/rescue.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎nova/policies/shelve.py‎
Lines changed: 6 additions & 6 deletions b/‎nova/policies/shelve.py‎
Lines changed: 6 additions & 6 deletions
@@ -64,9 +64,11 @@ def _shelve(self, req, id, body):
     def _shelve_offload(self, req, id, body):
         """Force removal of a shelved instance from the compute node."""
         context = req.environ["nova.context"]
-        context.can(shelve_policies.POLICY_ROOT % 'shelve_offload')
-
         instance = common.get_instance(self.compute_api, context, id)
+        context.can(shelve_policies.POLICY_ROOT % 'shelve_offload',
+                    target={'user_id': instance.user_id,
+                            'project_id': instance.project_id})
+
         try:
             self.compute_api.shelve_offload(context, instance)
         except exception.InstanceIsLocked as e:
 
@@ -24,26 +24,26 @@
 admin_actions_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'reset_state',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Reset the state of a given server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (os-resetState)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'inject_network_info',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Inject network information into the server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (injectNetworkInfo)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 
 
@@ -24,15 +24,15 @@
 admin_password_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Change the administrative password for a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (changePassword)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project'])
+        scope_types=['project'])
 ]
 
 
 
@@ -24,15 +24,15 @@
 evacuate_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Evacuate a server from a failed host to a new host",
         operations=[
             {
                 'path': '/servers/{server_id}/action (evacuate)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 
 
@@ -24,31 +24,31 @@
 lock_server_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'lock',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Lock a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (lock)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unlock',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unlock a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (unlock)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unlock:unlock_override',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="""Unlock a server, regardless who locked the server.
 
 This check is performed only after the check
@@ -59,7 +59,7 @@
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
 ]
 
 
@@ -38,7 +38,7 @@
 multinic_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="""Add a fixed IP address to a server.
 
 This API is proxy calls to the Network service. This is
@@ -49,11 +49,11 @@
                 'path': '/servers/{server_id}/action (addFixedIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="""Remove a fixed IP address from a server.
 
 This API is proxy calls to the Network service. This is
@@ -64,7 +64,7 @@
                 'path': '/servers/{server_id}/action (removeFixedIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
 ]
 
 
@@ -24,27 +24,27 @@
 pause_server_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'pause',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Pause a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (pause)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unpause',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unpause a paused server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (unpause)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
 ]
 
 
@@ -24,7 +24,7 @@
 remote_consoles_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="""Generate a URL to access remove server console.
 
 This policy is for ``POST /remote-consoles`` API and below Server actions APIs
@@ -56,7 +56,7 @@
                 'path': '/servers/{server_id}/remote-consoles'
             },
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 
 
@@ -37,26 +37,26 @@
 rescue_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Rescue a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (rescue)',
                 'method': 'POST'
             },
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=UNRESCUE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unrescue a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (unrescue)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY
     ),
 ]
 
@@ -24,37 +24,37 @@
 shelve_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'shelve',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Shelve server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (shelve)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unshelve',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unshelve (restore) shelved server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (unshelve)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'shelve_offload',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Shelf-offload (remove) server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (shelveOffload)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
Original file line number	Diff line number	Diff line change
`@@ -24,26 +24,26 @@`
`24`	`24`	`admin_actions_policies = [`
`25`	`25`	`policy.DocumentedRuleDefault(`
`26`	`26`	`name=POLICY_ROOT % 'reset_state',`
`27`		`- check_str=base.SYSTEM_ADMIN,`
	`27`	`+ check_str=base.PROJECT_ADMIN,`
`28`	`28`	`description="Reset the state of a given server",`
`29`	`29`	`operations=[`
`30`	`30`	`{`
`31`	`31`	`'method': 'POST',`
`32`	`32`	`'path': '/servers/{server_id}/action (os-resetState)'`
`33`	`33`	`}`
`34`	`34`	`],`
`35`		`- scope_types=['system', 'project']),`
	`35`	`+ scope_types=['project']),`
`36`	`36`	`policy.DocumentedRuleDefault(`
`37`	`37`	`name=POLICY_ROOT % 'inject_network_info',`
`38`		`- check_str=base.SYSTEM_ADMIN,`
	`38`	`+ check_str=base.PROJECT_ADMIN,`
`39`	`39`	`description="Inject network information into the server",`
`40`	`40`	`operations=[`
`41`	`41`	`{`
`42`	`42`	`'method': 'POST',`
`43`	`43`	`'path': '/servers/{server_id}/action (injectNetworkInfo)'`
`44`	`44`	`}`
`45`	`45`	`],`
`46`		`- scope_types=['system', 'project']),`
	`46`	`+ scope_types=['project']),`
`47`	`47`	`]`
`48`	`48`
`49`	`49`
Original file line number	Diff line number	Diff line change
`@@ -24,15 +24,15 @@`
`24`	`24`	`admin_password_policies = [`
`25`	`25`	`policy.DocumentedRuleDefault(`
`26`	`26`	`name=BASE_POLICY_NAME,`
`27`		`- check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,`
	`27`	`+ check_str=base.PROJECT_MEMBER,`
`28`	`28`	`description="Change the administrative password for a server",`
`29`	`29`	`operations=[`
`30`	`30`	`{`
`31`	`31`	`'path': '/servers/{server_id}/action (changePassword)',`
`32`	`32`	`'method': 'POST'`
`33`	`33`	`}`
`34`	`34`	`],`
`35`		`- scope_types=['system', 'project'])`
	`35`	`+ scope_types=['project'])`
`36`	`36`	`]`
`37`	`37`
`38`	`38`