diff --git a/designate/common/policies/service_status.py b/designate/common/policies/service_status.py index b3462db47..a893cd495 100644 --- a/designate/common/policies/service_status.py +++ b/designate/common/policies/service_status.py @@ -13,36 +13,68 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +DEPRECATED_REASON = """ +The service status API now supports system scope and default roles. +""" + +deprecated_find_service_status = policy.DeprecatedRule( + name="find_service_status", + check_str=base.RULE_ADMIN +) +deprecated_find_service_statuses = policy.DeprecatedRule( + name="find_service_statuses", + check_str=base.RULE_ADMIN +) +deprecated_update_service_status = policy.DeprecatedRule( + "update_service_status", + base.RULE_ADMIN +) + + rules = [ policy.DocumentedRuleDefault( name="find_service_status", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="Find a single Service Status", operations=[ { 'path': '/v2/service_status/{service_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_service_status, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="find_service_statuses", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="List service statuses.", operations=[ { 'path': '/v2/service_status', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_service_statuses, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.RuleDefault( - "update_service_status", - base.RULE_ADMIN) + name="update_service_status", + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + deprecated_rule=deprecated_update_service_status, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ) ]