Separate flavor extra specs policy for server APIs

Flavor extra specs index policy is used to show flavor
extra specs in flavor as well as server APIs response.

As per RBAC new guidelines, we are restricting project level
respurces APIs to project scoped only. To do that, we are
separating the flavor extra specs index policy for server
APIs and make them only for project scoped.

Partial implement blueprint policy-defaults-refresh-2

Change-Id: I9cfb61dabe6f98cb057aad9702f9d355c415fda6

3 files changed, 51 insertions, 25 deletions

diff --git a/nova/policies/base.py b/nova/policies/base.py
index afa6e4c0c7..04ab8272a1 100644
--- a/nova/policies/base.py
+++ b/nova/policies/base.py
@@ -56,6 +56,7 @@ PROJECT_MEMBER = 'rule:project_member_api'
 PROJECT_READER = 'rule:project_reader_api'
 PROJECT_MEMBER_OR_SYSTEM_ADMIN = 'rule:system_admin_or_owner'
 PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader'
+PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
 ADMIN = 'rule:context_is_admin'
 
 # NOTE(gmann): Below is the mapping of new roles and scope_types
@@ -139,6 +140,11 @@ rules = [
         "system_or_project_reader",
         "rule:system_reader_api or rule:project_reader_api",
         "Default rule for System+Project read only APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader_or_admin",
+        "rule:project_reader_api or rule:context_is_admin",
+        "Default rule for Project reader and admin APIs.",
         deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
 ]
 
diff --git a/nova/policies/flavor_extra_specs.py b/nova/policies/flavor_extra_specs.py
index 7335763d4b..06b486bf49 100644
--- a/nova/policies/flavor_extra_specs.py
+++ b/nova/policies/flavor_extra_specs.py
@@ -17,14 +17,12 @@ from oslo_policy import policy
 
 from nova.policies import base
 
-
 POLICY_ROOT = 'os_compute_api:os-flavor-extra-specs:%s'
 
-
 flavor_extra_specs_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description="Show an extra spec for a flavor",
         operations=[
             {
@@ -75,34 +73,15 @@ flavor_extra_specs_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'index',
-        check_str=base.PROJECT_READER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description="List extra specs for a flavor. Starting with "
-        "microversion 2.47, the flavor used for a server is also returned "
-        "in the response when showing server details, updating a server or "
-        "rebuilding a server. Starting with microversion 2.61, extra specs "
-        "may be returned in responses for the flavor resource.",
+        "microversion 2.61, extra specs may be returned in responses "
+        "for the flavor resource.",
         operations=[
             {
                 'path': '/flavors/{flavor_id}/os-extra_specs/',
                 'method': 'GET'
             },
-            # Microversion 2.47 operations for servers:
-            {
-                'path': '/servers/detail',
-                'method': 'GET'
-            },
-            {
-                'path': '/servers/{server_id}',
-                'method': 'GET'
-            },
-            {
-                'path': '/servers/{server_id}',
-                'method': 'PUT'
-            },
-            {
-                'path': '/servers/{server_id}/action (rebuild)',
-                'method': 'POST'
-            },
             # Microversion 2.61 operations for flavors:
             {
                 'path': '/flavors',
diff --git a/nova/policies/servers.py b/nova/policies/servers.py
index c5b1592d8f..faa8f8d02c 100644
--- a/nova/policies/servers.py
+++ b/nova/policies/servers.py
@@ -22,6 +22,17 @@ ZERO_DISK_FLAVOR = SERVERS % 'create:zero_disk_flavor'
 REQUESTED_DESTINATION = 'compute:servers:create:requested_destination'
 CROSS_CELL_RESIZE = 'compute:servers:resize:cross_cell'
 
+DEPRECATED_POLICY = policy.DeprecatedRule(
+    'os_compute_api:os-flavor-extra-specs:index',
+    base.RULE_ADMIN_OR_OWNER,
+)
+
+DEPRECATED_REASON = """
+Policies for showing flavor extra specs in server APIs response is
+seprated as new policy. This policy is deprecated only for that but
+not for list extra specs and showing it in flavor API response.
+"""
+
 rules = [
     policy.DocumentedRuleDefault(
         name=SERVERS % 'index',
@@ -95,6 +106,36 @@ rules = [
             }
         ],
         scope_types=['project']),
+    policy.DocumentedRuleDefault(
+        name=SERVERS % 'show:flavor-extra-specs',
+        check_str=base.PROJECT_READER,
+        description="Starting with microversion 2.47, the flavor and its "
+        "extra specs used for a server is also returned in the response "
+        "when showing server details, updating a server or rebuilding a "
+        "server.",
+        operations=[
+            # Microversion 2.47 operations for servers:
+            {
+                'path': '/servers/detail',
+                'method': 'GET'
+            },
+            {
+                'path': '/servers/{server_id}',
+                'method': 'GET'
+            },
+            {
+                'path': '/servers/{server_id}',
+                'method': 'PUT'
+            },
+            {
+                'path': '/servers/{server_id}/action (rebuild)',
+                'method': 'POST'
+            },
+        ],
+        scope_types=['project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='25.0.0'),
     # the details in host_status are pretty sensitive, only admins
     # should do that by default.
     policy.DocumentedRuleDefault(