1 files changed, 31 insertions, 39 deletions

diff --git a/nova/tests/unit/policies/test_flavor_manage.py b/nova/tests/unit/policies/test_flavor_manage.py
index 8a890a85af..0663a689cb 100644
--- a/nova/tests/unit/policies/test_flavor_manage.py
+++ b/nova/tests/unit/policies/test_flavor_manage.py
@@ -10,7 +10,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import mock
+from unittest import mock
+
 from oslo_utils.fixture import uuidsentinel as uuids
 
 from nova.api.openstack.compute import flavor_manage
@@ -31,18 +32,11 @@ class FlavorManagePolicyTest(base.BasePolicyTest):
         super(FlavorManagePolicyTest, self).setUp()
         self.controller = flavor_manage.FlavorManageController()
         self.req = fakes.HTTPRequest.blank('')
-        # Check that admin is able to manage the flavors.
+        # With legacy rule and no scope checks, all admin can manage
+        # the flavors.
         self.admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
             self.project_admin_context]
-        # Check that non-admin is not able to manage the flavors.
-        self.admin_unauthorized_contexts = [
-            self.system_member_context, self.system_reader_context,
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]
 
     def test_create_flavor_policy(self):
         rule_name = fm_policies.POLICY_ROOT % 'create'
@@ -67,29 +61,34 @@ class FlavorManagePolicyTest(base.BasePolicyTest):
                 "disk": 1,
             }
         }
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
-                                 rule_name, self.controller._create,
-                                 self.req, body=body)
+        self.common_policy_auth(self.admin_authorized_contexts,
+                                rule_name, self.controller._create,
+                                self.req, body=body)
 
     @mock.patch('nova.objects.Flavor.get_by_flavor_id')
     @mock.patch('nova.objects.Flavor.save')
     def test_update_flavor_policy(self, mock_save, mock_get):
         rule_name = fm_policies.POLICY_ROOT % 'update'
         req = fakes.HTTPRequest.blank('', version='2.55')
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
-                                 rule_name, self.controller._update,
-                                 req, uuids.fake_id,
-                                 body={'flavor': {'description': None}})
+        self.common_policy_auth(self.admin_authorized_contexts,
+                                rule_name, self.controller._update,
+                                req, uuids.fake_id,
+                                body={'flavor': {'description': None}})
 
     @mock.patch('nova.objects.Flavor.destroy')
     def test_delete_flavor_policy(self, mock_delete):
         rule_name = fm_policies.POLICY_ROOT % 'delete'
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
-                                 rule_name, self.controller._delete,
-                                 self.req, uuids.fake_id)
+        self.common_policy_auth(self.admin_authorized_contexts,
+                                rule_name, self.controller._delete,
+                                self.req, uuids.fake_id)
+
+
+class FlavorManageNoLegacyNoScopeTest(FlavorManagePolicyTest):
+    """Test Flavor Access API policies with deprecated rules
+    disabled, but scope checking still disabled.
+    """
+
+    without_deprecated_rules = True
 
 
 class FlavorManageScopeTypePolicyTest(FlavorManagePolicyTest):
@@ -106,23 +105,16 @@ class FlavorManageScopeTypePolicyTest(FlavorManagePolicyTest):
         super(FlavorManageScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
 
-        # Check that system admin is able to manage the flavors.
+        # With scope enabled, only project admin is able to manage
+        # the flavors.
         self.admin_authorized_contexts = [
-            self.system_admin_context]
-        # Check that non-system-admin is not able to manage the flavors.
-        self.admin_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_member_context,
-            self.system_reader_context, self.project_admin_context,
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]
-
-
-class FlavorManageNoLegacyPolicyTest(FlavorManageScopeTypePolicyTest):
+            self.legacy_admin_context,
+            self.project_admin_context]
+
+
+class FlavorManageScopeTypeNoLegacyPolicyTest(
+        FlavorManageScopeTypePolicyTest):
     """Test Flavor Manage APIs policies with system scope enabled,
-    and no more deprecated rules that allow the legacy admin API to
-    access system_admin_or_owner APIs.
+    and no more deprecated rules.
     """
     without_deprecated_rules = True