From 6cfc912ea57c09a661bd2fc172eae10e6667d0e9 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Tue, 4 Feb 2020 12:48:42 -0600
Subject: [PATCH] Introduce scope_types in os-attach-interfaces

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for os-attach-interfaces API policies
as 'system' and 'project'.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: I6b2bafe0c9460a1a6fdd4fbaae46b99905894ad4
---
 nova/policies/attach_interfaces.py | 35 ++++++++++++++++--------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/nova/policies/attach_interfaces.py b/nova/policies/attach_interfaces.py
index c9b6677d09..8b0cfd6a9d 100644
--- a/nova/policies/attach_interfaces.py
+++ b/nova/policies/attach_interfaces.py
@@ -24,11 +24,11 @@ POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s'
 
 attach_interfaces_policies = [
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_OR_OWNER,
-        "List port interfaces or show details of a port interface attached "
-        "to a server",
-        [
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="List port interfaces or show details of a port interface "
+        "attached to a server",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-interface'
@@ -37,27 +37,30 @@ attach_interfaces_policies = [
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-interface/{port_id}'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'create',
-        base.RULE_ADMIN_OR_OWNER,
-        "Attach an interface to a server",
-        [
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Attach an interface to a server",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/os-interface'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'delete',
-        base.RULE_ADMIN_OR_OWNER,
-        "Detach an interface from a server",
-        [
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Detach an interface from a server",
+        operations=[
             {
                 'method': 'DELETE',
                 'path': '/servers/{server_id}/os-interface/{port_id}'
             }
-        ])
+        ],
+        scope_types=['system', 'project'])
 ]