From 2608e00ce01bad2d85975beeb2ae5404ece37e1d Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Tue, 31 Mar 2020 00:37:37 -0500
Subject: [PATCH] Add new default roles in migrations policies

This adds new defaults roles in list migration API policies.
This policy is default to SYSTEM_READER role.

Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: I45acb44c6eac5e9cae2b13c89ceb86afc348fcbe
---
 nova/policies/migrations.py                 |  2 +-
 nova/tests/unit/fake_policy.py              |  1 +
 nova/tests/unit/policies/test_migrations.py | 24 ++++++++++-----------
 nova/tests/unit/test_policy.py              |  2 +-
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/nova/policies/migrations.py b/nova/policies/migrations.py
index be7a1861f4cc..bb77d1f0bb63 100644
--- a/nova/policies/migrations.py
+++ b/nova/policies/migrations.py
@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s'
 migrations_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'index',
-        check_str=base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_READER,
         description="List migrations",
         operations=[
             {
diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py
index f9bc531c5803..6e5b86e68bd7 100644
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@@ -60,6 +60,7 @@ policy_data = """
     "os_compute_api:os-lock-server:unlock": "",
     "os_compute_api:os-migrate-server:migrate": "",
     "os_compute_api:os-migrate-server:migrate_live": "",
+    "os_compute_api:os-migrations:index": "",
     "os_compute_api:os-multinic": "",
     "os_compute_api:os-networks:view": "",
     "os_compute_api:os-tenant-networks": "",
diff --git a/nova/tests/unit/policies/test_migrations.py b/nova/tests/unit/policies/test_migrations.py
index cfa893242e77..3738d107e2c3 100644
--- a/nova/tests/unit/policies/test_migrations.py
+++ b/nova/tests/unit/policies/test_migrations.py
@@ -33,13 +33,13 @@ class MigrationsPolicyTest(base.BasePolicyTest):
         self.req = fakes.HTTPRequest.blank('')
 
         # Check that admin is able to list migrations.
-        self.admin_authorized_contexts = [
+        self.reader_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context
+            self.project_admin_context, self.system_member_context,
+            self.system_reader_context
         ]
         # Check that non-admin is not able to list migrations.
-        self.admin_unauthorized_contexts = [
-            self.system_member_context, self.system_reader_context,
+        self.reader_unauthorized_contexts = [
             self.system_foo_context, self.project_member_context,
             self.project_reader_context, self.project_foo_context,
             self.other_project_member_context
@@ -48,8 +48,8 @@ class MigrationsPolicyTest(base.BasePolicyTest):
     @mock.patch('nova.compute.api.API.get_migrations')
     def test_list_migrations_policy(self, mock_migration):
         rule_name = migrations_policies.POLICY_ROOT % 'index'
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
+        self.common_policy_check(self.reader_authorized_contexts,
+                                 self.reader_unauthorized_contexts,
                                  rule_name, self.controller.index,
                                  self.req)
 
@@ -69,13 +69,13 @@ class MigrationsScopeTypePolicyTest(MigrationsPolicyTest):
         super(MigrationsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
 
-        # Check that system admin is able to list migrations.
-        self.admin_authorized_contexts = [
-            self.system_admin_context]
-        # Check that non system admin is not able to list migrations.
-        self.admin_unauthorized_contexts = [
+        # Check that system reader is able to list migrations.
+        self.reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non system reader is not able to list migrations.
+        self.reader_unauthorized_contexts = [
             self.legacy_admin_context, self.project_admin_context,
-            self.system_member_context, self.system_reader_context,
             self.system_foo_context, self.project_member_context,
             self.project_reader_context, self.project_foo_context,
             self.other_project_member_context
diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index 83409c3c3515..9ccdfba8414d 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -355,7 +355,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-simple-tenant-usage:list",
 "os_compute_api:os-availability-zone:detail",
 "os_compute_api:os-used-limits",
-"os_compute_api:os-migrations:index",
 "os_compute_api:os-assisted-volume-snapshots:create",
 "os_compute_api:os-assisted-volume-snapshots:delete",
 "os_compute_api:os-console-auth-tokens",
@@ -454,6 +453,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 )
 
         self.system_reader_rules = (
+"os_compute_api:os-migrations:index",
 "os_compute_api:os-services:list",
 "os_compute_api:os-instance-actions:events:details",
 "os_compute_api:os-instance-usage-audit-log:list",