policy: Add defaults in code (part 2)

Partially-Implements: bp policy-in-code

Change-Id: I09ba2381a9f365a163012f6bae495838ff11acbe

etc/nova/policy.json

@@ -14,45 +14,8 @@
     "os_compute_api:servers:discoverable": "@",
     "os_compute_api:servers:migrations:index": "rule:admin_api",
     "os_compute_api:servers:migrations:show": "rule:admin_api",
-    "os_compute_api:os-cells": "rule:admin_api",
-    "os_compute_api:os-cells:create": "rule:admin_api",
-    "os_compute_api:os-cells:delete": "rule:admin_api",
-    "os_compute_api:os-cells:update": "rule:admin_api",
-    "os_compute_api:os-cells:sync_instances": "rule:admin_api",
-    "os_compute_api:os-cells:discoverable": "@",
-    "os_compute_api:os-certificates:create": "rule:admin_or_owner",
-    "os_compute_api:os-certificates:show": "rule:admin_or_owner",
-    "os_compute_api:os-certificates:discoverable": "@",
-    "os_compute_api:os-cloudpipe": "rule:admin_api",
-    "os_compute_api:os-cloudpipe:discoverable": "@",
-    "os_compute_api:os-config-drive": "rule:admin_or_owner",
-    "os_compute_api:os-config-drive:discoverable": "@",
-    "os_compute_api:os-consoles:discoverable": "@",
-    "os_compute_api:os-consoles:create": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:delete": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:index": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:show": "rule:admin_or_owner",
-    "os_compute_api:os-console-output:discoverable": "@",
-    "os_compute_api:os-console-output": "rule:admin_or_owner",
     "os_compute_api:os-remote-consoles": "rule:admin_or_owner",
     "os_compute_api:os-remote-consoles:discoverable": "@",
-    "os_compute_api:os-create-backup:discoverable": "@",
-    "os_compute_api:os-create-backup": "rule:admin_or_owner",
-    "os_compute_api:os-deferred-delete": "rule:admin_or_owner",
-    "os_compute_api:os-deferred-delete:discoverable": "@",
-    "os_compute_api:os-evacuate": "rule:admin_api",
-    "os_compute_api:os-evacuate:discoverable": "@",
-    "os_compute_api:os-extended-server-attributes": "rule:admin_api",
-    "os_compute_api:os-extended-server-attributes:discoverable": "@",
-    "os_compute_api:os-extended-status": "rule:admin_or_owner",
-    "os_compute_api:os-extended-status:discoverable": "@",
-    "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner",
-    "os_compute_api:os-extended-availability-zone:discoverable": "@",
-    "os_compute_api:extensions": "rule:admin_or_owner",
-    "os_compute_api:extensions:discoverable": "@",
-    "os_compute_api:extension_info:discoverable": "@",
-    "os_compute_api:os-extended-volumes": "rule:admin_or_owner",
-    "os_compute_api:os-extended-volumes:discoverable": "@",
     "os_compute_api:os-fixed-ips": "rule:admin_api",
     "os_compute_api:os-fixed-ips:discoverable": "@",
     "os_compute_api:os-flavor-access": "rule:admin_or_owner",
@@ -199,8 +162,6 @@
     "os_compute_api:os-used-limits:discoverable": "@",
     "os_compute_api:os-migrations:index": "rule:admin_api",
     "os_compute_api:os-migrations:discoverable": "@",
-    "os_compute_api:os-console-auth-tokens": "rule:admin_api",
-    "os_compute_api:os-console-auth-tokens:discoverable": "@",
     "os_compute_api:os-server-external-events:create": "rule:admin_api",
     "os_compute_api:os-server-external-events:discoverable": "@"
 }

nova/policies/__init__.py

@@ -24,6 +24,22 @@ from nova.policies import availability_zone
 from nova.policies import baremetal_nodes
 from nova.policies import base
 from nova.policies import block_device_mapping_v1
+from nova.policies import cells
+from nova.policies import certificates
+from nova.policies import cloudpipe
+from nova.policies import config_drive
+from nova.policies import console_auth_tokens
+from nova.policies import console_output
+from nova.policies import consoles
+from nova.policies import create_backup
+from nova.policies import deferred_delete
+from nova.policies import evacuate
+from nova.policies import extended_availability_zone
+from nova.policies import extended_server_attributes
+from nova.policies import extended_status
+from nova.policies import extended_volumes
+from nova.policies import extension_info
+from nova.policies import extensions
 from nova.policies import servers
 
 
@@ -40,5 +56,21 @@ def list_rules():
         baremetal_nodes.list_rules(),
         base.list_rules(),
         block_device_mapping_v1.list_rules(),
+        cells.list_rules(),
+        certificates.list_rules(),
+        cloudpipe.list_rules(),
+        config_drive.list_rules(),
+        console_auth_tokens.list_rules(),
+        console_output.list_rules(),
+        consoles.list_rules(),
+        create_backup.list_rules(),
+        deferred_delete.list_rules(),
+        evacuate.list_rules(),
+        extended_availability_zone.list_rules(),
+        extended_server_attributes.list_rules(),
+        extended_status.list_rules(),
+        extended_volumes.list_rules(),
+        extension_info.list_rules(),
+        extensions.list_rules(),
         servers.list_rules()
     )

nova/policies/cells.py

@@ -0,0 +1,48 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-cells'
+POLICY_ROOT = 'os_compute_api:os-cells:%s'
+
+
+cells_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'sync_instances',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return cells_policies

nova/policies/certificates.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-certificates:%s'
+
+
+certificates_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return certificates_policies

nova/policies/cloudpipe.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-cloudpipe'
+POLICY_ROOT = 'os_compute_api:os-cloudpipe:%s'
+
+
+cloudpipe_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return cloudpipe_policies

nova/policies/config_drive.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-config-drive'
+POLICY_ROOT = 'os_compute_api:os-config-drive:%s'
+
+
+config_drive_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return config_drive_policies

nova/policies/console_auth_tokens.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
+POLICY_ROOT = 'os_compute_api:os-console-auth-tokens:%s'
+
+
+console_auth_tokens_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return console_auth_tokens_policies

nova/policies/console_output.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-console-output'
+POLICY_ROOT = 'os_compute_api:os-console-output:%s'
+
+
+console_output_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return console_output_policies

nova/policies/consoles.py

@@ -0,0 +1,44 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-consoles:%s'
+
+
+consoles_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return consoles_policies

nova/policies/create_backup.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
+POLICY_ROOT = 'os_compute_api:os-create-backup:%s'
+
+
+create_backup_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return create_backup_policies

nova/policies/deferred_delete.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete'
+POLICY_ROOT = 'os_compute_api:os-deferred-delete:%s'
+
+
+deferred_delete_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return deferred_delete_policies

nova/policies/evacuate.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-evacuate'
+POLICY_ROOT = 'os_compute_api:os-evacuate:%s'
+
+
+evacuate_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return evacuate_policies

nova/policies/extended_availability_zone.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-extended-availability-zone'
+POLICY_ROOT = 'os_compute_api:os-extended-availability-zone:%s'
+
+
+extended_availability_zone_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return extended_availability_zone_policies

nova/policies/extended_server_attributes.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
+POLICY_ROOT = 'os_compute_api:os-extended-server-attributes:%s'
+
+
+extended_server_attributes_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return extended_server_attributes_policies

nova/policies/extended_status.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-extended-status'
+POLICY_ROOT = 'os_compute_api:os-extended-status:%s'
+
+
+extended_status_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return extended_status_policies

nova/policies/extended_volumes.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-extended-volumes'
+POLICY_ROOT = 'os_compute_api:os-extended-volumes:%s'
+
+
+extended_volumes_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return extended_volumes_policies

nova/policies/extension_info.py

@@ -0,0 +1,32 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:extension_info:%s'
+
+
+extension_info_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return extension_info_policies

nova/policies/extensions.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:extensions'
+POLICY_ROOT = 'os_compute_api:extensions:%s'
+
+
+extensions_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return extensions_policies