Implement granular policy rules for placement

This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.

A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.

With these changes, we can have something like:

  /etc/nova/policy.json - for nova policy rules
  /etc/nova/placement-policy.yaml - for placement rules

The docs are also updated to include the placement
policy sample along with a tox builder for the sample.

This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.

Part of blueprint granular-placement-policy

Change-Id: I17573f5210314341c332fdcb1ce462a989c21940

1 files changed, 2 insertions, 0 deletions

diff --git a/setup.cfg b/setup.cfg
index 12f1286dd7..d2e073153c 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -40,6 +40,7 @@ oslo.config.opts.defaults =
 
 oslo.policy.enforcer =
     nova = nova.policy:get_enforcer
+    placement = nova.api.openstack.placement.policy:get_enforcer
 
 oslo.policy.policies =
     # The sample policies will be ordered by entry point and then by list
@@ -47,6 +48,7 @@ oslo.policy.policies =
     # list_rules method into a separate entry point rather than using the
     # aggregate method.
     nova = nova.policies:list_rules
+    placement = nova.api.openstack.placement.policies:list_rules
 
 nova.compute.monitors.cpu =
     virt_driver = nova.compute.monitors.cpu.virt_driver:Monitor