From e18cd136dcaa13225b0144ba310c926aaadee38a Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Thu, 2 Apr 2020 23:57:15 -0500
Subject: [PATCH] Introduce scope_types in server group policy

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for server group API policies
as ['system', 'project'].

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: I0167539effa78461a2298d6248c0f1e1eed83db0
---
 nova/policies/server_groups.py | 44 ++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/nova/policies/server_groups.py b/nova/policies/server_groups.py
index 30ae91c58e..f678213617 100644
--- a/nova/policies/server_groups.py
+++ b/nova/policies/server_groups.py
@@ -23,48 +23,52 @@ POLICY_ROOT = 'os_compute_api:os-server-groups:%s'
 
 server_groups_policies = [
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'create',
-        base.RULE_ADMIN_OR_OWNER,
-        "Create a new server group",
-        [
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Create a new server group",
+        operations=[
             {
                 'path': '/os-server-groups',
                 'method': 'POST'
             }
-        ]
+        ],
+        scope_types=['system', 'project']
     ),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'delete',
-        base.RULE_ADMIN_OR_OWNER,
-        "Delete a server group",
-        [
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Delete a server group",
+        operations=[
             {
                 'path': '/os-server-groups/{server_group_id}',
                 'method': 'DELETE'
             }
-        ]
+        ],
+        scope_types=['system', 'project']
     ),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'index',
-        base.RULE_ADMIN_OR_OWNER,
-        "List all server groups",
-        [
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="List all server groups",
+        operations=[
             {
                 'path': '/os-server-groups',
                 'method': 'GET'
             }
-        ]
+        ],
+        scope_types=['system', 'project']
     ),
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'show',
-        base.RULE_ADMIN_OR_OWNER,
-        "Show details of a server group",
-        [
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Show details of a server group",
+        operations=[
             {
                 'path': '/os-server-groups/{server_group_id}',
                 'method': 'GET'
             }
-        ]
+        ],
+        scope_types=['system', 'project']
     ),
 ]