[S-RBAC] Get availability zone API available for READER role

API call get_availability_zone should be available in new policies for
all users with READER role as this is kind of the same what was in the
old policies (ANY).

Closes-bug: #2016266

Change-Id: I8a99bc52bd815fb3395e902fc8f85cf5f187e288

1 files changed, 5 insertions, 3 deletions

diff --git a/neutron/conf/policies/availability_zone.py b/neutron/conf/policies/availability_zone.py
index 9f265dfab4..bb94f17f64 100644
--- a/neutron/conf/policies/availability_zone.py
+++ b/neutron/conf/policies/availability_zone.py
@@ -14,8 +14,6 @@ from neutron_lib import policy as neutron_policy
 from oslo_log import versionutils
 from oslo_policy import policy
 
-from neutron.conf.policies import base
-
 DEPRECATION_REASON = (
     "The Availability Zone API now supports project scope and default roles.")
 
@@ -23,7 +21,11 @@ DEPRECATION_REASON = (
 rules = [
     policy.DocumentedRuleDefault(
         name='get_availability_zone',
-        check_str=base.ADMIN,
+        # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
+        # module because that is using "project_id" in the check string and the
+        # availability_zone resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
         description='List availability zones',
         operations=[
             {