From abd67b9e5407e6728dbc9d23a8d3e3a17984992c Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Mon, 10 Feb 2020 20:23:59 -0600
Subject: [PATCH] Add new default roles in os-create-backup policies

This adds new defaults roles in os-admin-password API policies.

This policy is default to owner or system admin role.

Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: I023a13c0f7d205aa65b7f74589f243ea359345dc
---
 nova/policies/create_backup.py                |  2 +-
 .../tests/unit/policies/test_create_backup.py | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/nova/policies/create_backup.py b/nova/policies/create_backup.py
index b90016ed5a..b7acc36bd5 100644
--- a/nova/policies/create_backup.py
+++ b/nova/policies/create_backup.py
@@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
 create_backup_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
         description='Create a back up of a server',
         operations=[
             {
diff --git a/nova/tests/unit/policies/test_create_backup.py b/nova/tests/unit/policies/test_create_backup.py
index 3863ccc409..81cdcd58b6 100644
--- a/nova/tests/unit/policies/test_create_backup.py
+++ b/nova/tests/unit/policies/test_create_backup.py
@@ -88,3 +88,29 @@ class CreateBackupScopeTypePolicyTest(CreateBackupPolicyTest):
     def setUp(self):
         super(CreateBackupScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class CreateBackupNoLegacyPolicyTest(CreateBackupPolicyTest):
+    """Test Create Backup APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system_admin_or_owner APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(CreateBackupNoLegacyPolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system or projct admin or owner is able to create
+        # server backup.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system and non-admin/owner is not able to
+        # create server backup.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_reader_context,
+            self.project_foo_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context]