From 6c6d7e3dc2c61b13d17f30ddd7607a4dfb2ef86d Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Mon, 30 Mar 2020 23:47:13 -0500
Subject: [PATCH] Introduce scope_types in migrate server

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for migrate server API policies
as 'system'.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: Icba4c14f240215fd56f1cdd9814cc81ebf2796be
---
 nova/policies/migrate_server.py | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/nova/policies/migrate_server.py b/nova/policies/migrate_server.py
index f377e5820b..bc8199f7f5 100644
--- a/nova/policies/migrate_server.py
+++ b/nova/policies/migrate_server.py
@@ -23,25 +23,27 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s'
 
 migrate_server_policies = [
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'migrate',
-        base.RULE_ADMIN_API,
-        "Cold migrate a server to a host",
-        [
+        name=POLICY_ROOT % 'migrate',
+        check_str=base.RULE_ADMIN_API,
+        description="Cold migrate a server to a host",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (migrate)'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'migrate_live',
-        base.RULE_ADMIN_API,
-        "Live migrate a server to a new host without a reboot",
-        [
+        name=POLICY_ROOT % 'migrate_live',
+        check_str=base.RULE_ADMIN_API,
+        description="Live migrate a server to a new host without a reboot",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (os-migrateLive)'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
 ]