diff options
Diffstat (limited to 'nova/policies/flavor_access.py')
-rw-r--r-- | nova/policies/flavor_access.py | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/nova/policies/flavor_access.py b/nova/policies/flavor_access.py index b70ae71811..e7044d0cec 100644 --- a/nova/policies/flavor_access.py +++ b/nova/policies/flavor_access.py @@ -25,8 +25,8 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s' # NOTE(gmann): Deprecating this policy explicitly as old defaults # admin or owner is not suitable for that which should be admin (Bug#1867840) # but changing that will break old deployment so let's keep supporting -# the old default also and new default can be SYSTEM_READER -# SYSTEM_READER rule in base class is defined with the deprecated rule of admin +# the old default also and new default can be System Admin. +# System Admin rule in base class is defined with the deprecated rule of admin # not admin or owner which is the main reason that we need to explicitly # deprecate this policy here. DEPRECATED_REASON = """ @@ -45,7 +45,7 @@ DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule( flavor_access_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'add_tenant_access', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Add flavor access to a tenant", operations=[ { @@ -53,10 +53,10 @@ flavor_access_policies = [ 'path': '/flavors/{flavor_id}/action (addTenantAccess)' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'remove_tenant_access', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Remove flavor access from a tenant", operations=[ { @@ -64,10 +64,10 @@ flavor_access_policies = [ 'path': '/flavors/{flavor_id}/action (removeTenantAccess)' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="""List flavor access information Allows access to the full list of tenants that have access @@ -79,7 +79,7 @@ to a flavor via an os-flavor-access API. 'path': '/flavors/{flavor_id}/os-flavor-access' }, ], - scope_types=['system'], + scope_types=['project'], deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY), ] |