Add new default roles in hosts policies

This adds new defaults roles in hosts API policies. These policies are made granular and default to SYSTEM_READER and SYSTEM_ADMIN. Also pass the actual targets which is empty dict in hosts policy. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I159aaa37e1c238b484619a9951da7e63774024cb
author: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-07-24 23:09:24 -0500
committer: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-07-25 21:20:00 +0000
commit: 4ef2ebe241e7fedc24fb5434124fbba8be15f524 (patch)
tree: 1b3db54ef8e3ee8b718eed24a77e42de50e667f9 /nova/policies
parent: 864a32bc37416d45eadabc58c0819ee78afd4f0f (diff)
download: nova-4ef2ebe241e7fedc24fb5434124fbba8be15f524.tar.gz
1 files changed, 81 insertions, 6 deletions
diff --git a/nova/policies/hosts.py b/nova/policies/hosts.py
index 191d0c0882..97e9f8e6a8 100644
--- a/nova/policies/hosts.py
+++ b/nova/policies/hosts.py
@@ -20,41 +20,116 @@ from nova.policies import base
 
 BASE_POLICY_NAME = 'os_compute_api:os-hosts'
 
+POLICY_NAME = 'os_compute_api:os-hosts:%s'
+
+DEPRECATED_POLICY = policy.DeprecatedRule(
+    BASE_POLICY_NAME,
+    base.RULE_ADMIN_API,
+)
+
+DEPRECATED_REASON = """
+Nova API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in nova 23.0.0 release.
+"""
 
 hosts_policies = [
     policy.DocumentedRuleDefault(
-        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_API,
-        description="""List, show and manage physical hosts.
+        name=POLICY_NAME % 'list',
+        check_str=base.SYSTEM_READER,
+        description="""List physical hosts.
 
-These APIs are all deprecated in favor of os-hypervisors and os-services.""",
+This API is deprecated in favor of os-hypervisors and os-services.""",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-hosts'
             },
+        ],
+        scope_types=['system'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'show',
+        check_str=base.SYSTEM_READER,
+        description="""Show physical host.
+
+This API is deprecated in favor of os-hypervisors and os-services.""",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/os-hosts/{host_name}'
-            },
+            }
+        ],
+        scope_types=['system'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'update',
+        check_str=base.SYSTEM_ADMIN,
+        description="""Update physical host.
+
+This API is deprecated in favor of os-hypervisors and os-services.""",
+        operations=[
             {
                 'method': 'PUT',
                 'path': '/os-hosts/{host_name}'
             },
+        ],
+        scope_types=['system'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'reboot',
+        check_str=base.SYSTEM_ADMIN,
+        description="""Reboot physical host.
+
+This API is deprecated in favor of os-hypervisors and os-services.""",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/os-hosts/{host_name}/reboot'
             },
+        ],
+        scope_types=['system'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'shutdown',
+        check_str=base.SYSTEM_ADMIN,
+        description="""Shutdown physical host.
+
+This API is deprecated in favor of os-hypervisors and os-services.""",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/os-hosts/{host_name}/shutdown'
             },
+        ],
+        scope_types=['system'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'start',
+        check_str=base.SYSTEM_ADMIN,
+        description="""Start physical host.
+
+This API is deprecated in favor of os-hypervisors and os-services.""",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/os-hosts/{host_name}/startup'
             }
         ],
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
 ]
author	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-07-24 23:09:24 -0500
committer	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-07-25 21:20:00 +0000
commit	4ef2ebe241e7fedc24fb5434124fbba8be15f524 (patch)
tree	1b3db54ef8e3ee8b718eed24a77e42de50e667f9 /nova/policies
parent	864a32bc37416d45eadabc58c0819ee78afd4f0f (diff)
download	nova-4ef2ebe241e7fedc24fb5434124fbba8be15f524.tar.gz