Introduce scope_types in os-instance-action policy

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
  - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
  - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
  - https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for os-instance-action API policy.

Partial implement blueprint policy-defaults-refresh
Change-Id: If2d878177c65c9fd6ff44c9b20c354b26d583f40

nova/policies/instance_actions.py

@@ -24,9 +24,9 @@ POLICY_ROOT = 'os_compute_api:os-instance-actions:%s'
 
 instance_actions_policies = [
     policy.DocumentedRuleDefault(
-        POLICY_ROOT % 'events',
-        base.RULE_ADMIN_API,
-        """Add events details in action details for a server.
+        name=POLICY_ROOT % 'events',
+        check_str=base.RULE_ADMIN_API,
+        description="""Add events details in action details for a server.
 
 This check is performed only after the check
 os_compute_api:os-instance-actions passes. Beginning with
@@ -35,17 +35,18 @@ information is provided per event if policy enforcement passes.
 Beginning with Microversion 2.62, each event includes a hashed
 host identifier and, if policy enforcement passes, the name of
 the host.""",
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
-        ]),
+        ],
+        scope_types=['system']),
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_OR_OWNER,
-        """List actions and show action details for a server.""",
-        [
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="""List actions and show action details for a server.""",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions'
@@ -54,7 +55,8 @@ the host.""",
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
 ]
 
 

nova/tests/unit/policies/test_instance_actions.py

@@ -160,3 +160,17 @@ class InstanceActionsScopeTypePolicyTest(InstanceActionsPolicyTest):
     def setUp(self):
         super(InstanceActionsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to get the
+        # instance action events
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system or non-admin is not able to
+        # get the instance action events
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]