1 files changed, 42 insertions, 8 deletions

diff --git a/designate/common/policies/context.py b/designate/common/policies/context.py
index 08a528f3..81ab54d5 100644
--- a/designate/common/policies/context.py
+++ b/designate/common/policies/context.py
@@ -13,28 +13,62 @@
 #    under the License.
 
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from designate.common.policies import base
 
 
+deprecated_all_tenants = policy.DeprecatedRule(
+    name="all_tenants",
+    check_str=base.RULE_ADMIN,
+    deprecated_reason=base.DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_edit_managed_records = policy.DeprecatedRule(
+    name="edit_managed_records",
+    check_str=base.RULE_ADMIN,
+    deprecated_reason=base.DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_use_low_ttl = policy.DeprecatedRule(
+    name="use_low_ttl",
+    check_str=base.RULE_ADMIN,
+    deprecated_reason=base.DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+deprecated_use_sudo = policy.DeprecatedRule(
+    name="use_sudo",
+    check_str=base.RULE_ADMIN,
+    deprecated_reason=base.DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY
+)
+
 rules = [
     policy.RuleDefault(
         name="all_tenants",
-        check_str=base.RULE_ADMIN,
-        description='Action on all tenants.'),
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Action on all tenants.',
+        deprecated_rule=deprecated_all_tenants),
     policy.RuleDefault(
         name="edit_managed_records",
-        check_str=base.RULE_ADMIN,
-        description='Edit managed records.'),
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Edit managed records.',
+        deprecated_rule=deprecated_edit_managed_records),
     policy.RuleDefault(
         name="use_low_ttl",
-        check_str=base.RULE_ADMIN,
-        description='Use low TTL.'),
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Use low TTL.',
+        deprecated_rule=deprecated_use_low_ttl),
     policy.RuleDefault(
         name="use_sudo",
-        check_str=base.RULE_ADMIN,
-        description='Accept sudo from user to tenant.')
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Accept sudo from user to tenant.',
+        deprecated_rule=deprecated_use_sudo)
 ]