Add new default roles in security_groups policies

This adds new defaults roles in security_groups API policies. These policies are made granular and default to PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: Ie1ea066e9683fc44d486bcde1eb0f01fca7645c7
author: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-07-23 18:26:30 -0500
committer: Ghanshyam Mann <gmann@ghanshyammann.com> 2020-07-24 01:23:21 +0000
commit: a20ab7016ef574f99aa3db9fb570807266a0a287 (patch)
tree: 2d524a116ad1a5f161fdbbf62582b5603a5787ce /nova/policies
parent: 293984722698673f23da162dd01d1640383eba7b (diff)
download: nova-a20ab7016ef574f99aa3db9fb570807266a0a287.tar.gz
1 files changed, 79 insertions, 13 deletions
diff --git a/nova/policies/security_groups.py b/nova/policies/security_groups.py
index cbaf33b030..332fa8c030 100644
--- a/nova/policies/security_groups.py
+++ b/nova/policies/security_groups.py
@@ -35,37 +35,103 @@ in nova 23.0.0 release.
 
 security_groups_policies = [
     policy.DocumentedRuleDefault(
-        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
-        description="""List, show, add, or remove security groups.
-
-APIs which are directly related to security groups resource are deprecated:
-Lists, shows information for, creates, updates and deletes
-security groups. Creates and deletes security group rules. All these
-APIs are deprecated.""",
+        name=POLICY_NAME % 'get',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="List security groups. This API is deprecated.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-security-groups'
-            },
+            }
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'show',
+        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        description="Show security group. This API is deprecated.",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/os-security-groups/{security_group_id}'
-            },
+            }
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'create',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Create security group. This API is deprecated.",
+        operations=[
             {
                 'method': 'POST',
                 'path': '/os-security-groups'
-            },
+            }
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'update',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Update security group. This API is deprecated.",
+        operations=[
             {
                 'method': 'PUT',
                 'path': '/os-security-groups/{security_group_id}'
-            },
+            }
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'delete',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Delete security group. This API is deprecated.",
+        operations=[
             {
                 'method': 'DELETE',
                 'path': '/os-security-groups/{security_group_id}'
             },
         ],
-        scope_types=['system', 'project']),
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'rule:create',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Create security group Rule. This API is deprecated.",
+        operations=[
+            {
+                'method': 'POST',
+                'path': '/os-security-group-rules'
+            }
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
+    policy.DocumentedRuleDefault(
+        name=POLICY_NAME % 'rule:delete',
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        description="Delete security group Rule. This API is deprecated.",
+        operations=[
+            {
+                'method': 'DELETE',
+                'path': '/os-security-group-rules/{security_group_id}'
+            },
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=DEPRECATED_POLICY,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
     policy.DocumentedRuleDefault(
         name=POLICY_NAME % 'list',
         check_str=base.PROJECT_READER_OR_SYSTEM_READER,
author	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-07-23 18:26:30 -0500
committer	Ghanshyam Mann <gmann@ghanshyammann.com>	2020-07-24 01:23:21 +0000
commit	a20ab7016ef574f99aa3db9fb570807266a0a287 (patch)
tree	2d524a116ad1a5f161fdbbf62582b5603a5787ce /nova/policies
parent	293984722698673f23da162dd01d1640383eba7b (diff)
download	nova-a20ab7016ef574f99aa3db9fb570807266a0a287.tar.gz