From c8e65a5eb11515cfe70f8e6850b842cd594af6a5 Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Wed, 19 Sep 2018 16:58:32 -0400
Subject: [PATCH] Default zero disk flavor to RULE_ADMIN_API in Stein

The policy to allow booting instances without a volume when
root_gb is set to 0 was to be set to default to admin-only
in Stein.

Depends-On: I537c299b0cd400982189f35b31df74755422737e

Co-Authored-By: Matt Riedemann <mriedem.os@gmail.com>

Related-Bug: #1739646
Change-Id: I247402b6c4ff8a7cb71ef247a218478194d68ff8
---
 nova/policies/servers.py                              |  6 +-----
 nova/tests/unit/compute/test_compute.py               |  7 +++++++
 nova/tests/unit/test_policy.py                        |  2 +-
 ...ero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml | 11 +++++++++++
 4 files changed, 20 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml

diff --git a/nova/policies/servers.py b/nova/policies/servers.py
index 597f210c2a11..f02a6e75f1e5 100644
--- a/nova/policies/servers.py
+++ b/nova/policies/servers.py
@@ -154,8 +154,7 @@ rules = [
         ]),
     policy.DocumentedRuleDefault(
         ZERO_DISK_FLAVOR,
-        # TODO(mriedem): Default to RULE_ADMIN_API in Stein.
-        RULE_AOO,
+        base.RULE_ADMIN_API,
         """
 This rule controls the compute API validation behavior of creating a server
 with a flavor that has 0 disk, indicating the server should be volume-backed.
@@ -170,9 +169,6 @@ if users can upload their own images since repeated attempts to
 create a disk=0 flavor instance with a large image can exhaust
 the local disk of the compute (or shared storage cluster). See bug
 https://bugs.launchpad.net/nova/+bug/1739646 for details.
-
-This rule defaults to ``rule:admin_or_owner`` for backward compatibility but
-will be changed to default to ``rule:admin_api`` in a subsequent release.
 """,
         [
             {
diff --git a/nova/tests/unit/compute/test_compute.py b/nova/tests/unit/compute/test_compute.py
index fb6051064dc3..8d95fac4405d 100644
--- a/nova/tests/unit/compute/test_compute.py
+++ b/nova/tests/unit/compute/test_compute.py
@@ -67,6 +67,7 @@ from nova.objects import block_device as block_device_obj
 from nova.objects import fields as obj_fields
 from nova.objects import instance as instance_obj
 from nova.objects import migrate_data as migrate_data_obj
+from nova.policies import servers as servers_policy
 from nova import test
 from nova.tests import fixtures
 from nova.tests.unit.compute import eventlet_utils
@@ -13290,6 +13291,9 @@ class CheckRequestedImageTestCase(test.TestCase):
                 image, self.instance_type, None)
 
     def test_root_gb_zero_disables_size_check(self):
+        self.policy.set_rules({
+            servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
+        }, overwrite=False)
         self.instance_type['root_gb'] = 0
         image = dict(id='123', status='active', size='1073741825')
 
@@ -13297,6 +13301,9 @@ class CheckRequestedImageTestCase(test.TestCase):
                 image, self.instance_type, None)
 
     def test_root_gb_zero_disables_min_disk(self):
+        self.policy.set_rules({
+            servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
+        }, overwrite=False)
         self.instance_type['root_gb'] = 0
         image = dict(id='123', status='active', min_disk='2')
 
diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index 5ddf5d20343c..0c1588ec4e03 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -338,6 +338,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-quota-class-sets:update",
 "os_compute_api:os-server-external-events:create",
 "os_compute_api:os-volumes-attachments:update",
+"os_compute_api:servers:create:zero_disk_flavor",
 "os_compute_api:servers:migrations:index",
 "os_compute_api:servers:migrations:show",
 )
@@ -375,7 +376,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:servers:create:attach_network",
 "os_compute_api:servers:create:attach_volume",
 "os_compute_api:servers:create:trusted_certs",
-"os_compute_api:servers:create:zero_disk_flavor",
 "os_compute_api:servers:create_image",
 "os_compute_api:servers:delete",
 "os_compute_api:servers:detail",
diff --git a/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml b/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml
new file mode 100644
index 000000000000..e76921ecbba9
--- /dev/null
+++ b/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The defalut value for policy rule
+    ``os_compute_api:servers:create:zero_disk_flavor`` has changed from
+    ``rule:admin_or_owner`` to ``rule:admin_api`` which means that by default,
+    users without the admin role will not be allowed to create servers using
+    a flavor with ``disk=0`` *unless* they are creating a volume-backed server.
+    If you have these kinds of flavors, you may need to take action or
+    temporarily override the policy rule. Refer to
+    `bug 1739646 <https://launchpad.net/bugs/1739646>`_ for more details.