1 files changed, 35 insertions, 43 deletions

diff --git a/nova/tests/unit/policies/test_instance_usage_audit_log.py b/nova/tests/unit/policies/test_instance_usage_audit_log.py
index e320beacd2..71b0cdd2aa 100644
--- a/nova/tests/unit/policies/test_instance_usage_audit_log.py
+++ b/nova/tests/unit/policies/test_instance_usage_audit_log.py
@@ -10,7 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import mock
+from unittest import mock
 
 from nova.api.openstack.compute import instance_usage_audit_log as iual
 from nova.policies import base as base_policy
@@ -35,37 +35,37 @@ class InstanceUsageAuditLogPolicyTest(base.BasePolicyTest):
         self.controller.host_api.task_log_get_all = mock.MagicMock()
         self.controller.host_api.service_get_all = mock.MagicMock()
 
-        # Check that admin is able to get instance usage audit log.
-        # NOTE(gmann): Until old default rule which is admin_api is
-        # deprecated and not removed, project admin and legacy admin
-        # will be able to get instance usage audit log. This make sure
-        # that existing tokens will keep working even we have changed
-        # this policy defaults to reader role.
-        self.reader_authorized_contexts = [
+        # With legacy rule, all admin_api will be able to get instance usage
+        # audit log.
+        self.admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-admin is not able to get instance usage audit log.
-        self.reader_unauthorized_contexts = [
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]
+            self.project_admin_context]
 
     def test_show_policy(self):
         rule_name = iual_policies.BASE_POLICY_NAME % 'show'
-        self.common_policy_check(self.reader_authorized_contexts,
-                                 self.reader_unauthorized_contexts,
-                                 rule_name, self.controller.show,
-                                 self.req, '2020-03-25 14:40:00')
+        self.common_policy_auth(self.admin_authorized_contexts,
+                                rule_name, self.controller.show,
+                                self.req, '2020-03-25 14:40:00')
 
     def test_index_policy(self):
         rule_name = iual_policies.BASE_POLICY_NAME % 'list'
-        self.common_policy_check(self.reader_authorized_contexts,
-                                 self.reader_unauthorized_contexts,
-                                 rule_name, self.controller.index,
-                                 self.req)
+        self.common_policy_auth(self.admin_authorized_contexts,
+                                rule_name, self.controller.index,
+                                self.req)
+
+
+class InstanceUsageNoLegacyNoScopeTest(InstanceUsageAuditLogPolicyTest):
+    """Test Instance Usage API policies with deprecated rules
+    disabled, but scope checking still disabled.
+    """
+
+    without_deprecated_rules = True
+    rules_without_deprecation = {
+        iual_policies.BASE_POLICY_NAME % 'list':
+            base_policy.ADMIN,
+        iual_policies.BASE_POLICY_NAME % 'show':
+            base_policy.ADMIN,
+    }
 
 
 class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
@@ -83,29 +83,21 @@ class InstanceUsageScopeTypePolicyTest(InstanceUsageAuditLogPolicyTest):
         super(InstanceUsageScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
 
-        # Check that system reader is able to get instance usage audit log.
-        self.reader_authorized_contexts = [
-            self.system_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-system-admin is not able to get instance
-        # usage audit log.
-        self.reader_unauthorized_contexts = [
-            self.legacy_admin_context, self.project_admin_context,
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]
-
-
-class InstanceUsageNoLegacyPolicyTest(InstanceUsageScopeTypePolicyTest):
+        # Scope checks remove project users power.
+        self.admin_authorized_contexts = [
+            self.legacy_admin_context,
+            self.project_admin_context]
+
+
+class InstanceUsageScopeTypeNoLegacyPolicyTest(
+        InstanceUsageScopeTypePolicyTest):
     """Test Instance Usage Audit Log APIs policies with system scope enabled,
     and no more deprecated rules.
     """
     without_deprecated_rules = True
     rules_without_deprecation = {
         iual_policies.BASE_POLICY_NAME % 'list':
-            base_policy.SYSTEM_READER,
+            base_policy.ADMIN,
         iual_policies.BASE_POLICY_NAME % 'show':
-            base_policy.SYSTEM_READER,
+            base_policy.ADMIN,
     }