[RBAC] Retain legacy admin behaviour

The cross project effort around establishing
secure default RBAC policies has transformed over
the last release reacting to operator feedback.
The intended change to use system scope breaks
established workflows and requires a large effort
to transition deployments:

- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback

So for now, all services are going to revert to
only supporting project scoped users by default.
This allows a legacy admin behavior to continue
working as intended; and does not prevent operators
overriding these defaults and using system scoped
personas.

https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
Change-Id: I5d3c1041738214ec8382edfd5494c10ff0be351a
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>

manila/policies/availability_zone.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'availability_zone:%s'
 
 DEPRECATED_REASON = """
-The availability zone API now supports system scope and default roles.
+The availability zone API now supports scope and default roles.
 """
 
 deprecated_get_availability_zone = policy.DeprecatedRule(
@@ -33,9 +33,9 @@ deprecated_get_availability_zone = policy.DeprecatedRule(
 availability_zone_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Get all storage availability zones."),
+        description="Get all storage availability zones.",
         operations=[
             {
                 'method': 'GET',

manila/policies/base.py

@@ -16,12 +16,39 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 
+
+# This check string is reserved for actions that require the highest level of
+# authorization across projects to operate the deployment. They're allowed to
+# create, read, update, or delete any system-wide resource such as
+# share types, share group types, storage pools, etc. They can also operate on
+# project-specific resources where applicable (e.g., cleaning up shares or
+# snapshots).
+ADMIN = 'rule:context_is_admin'
+
+# This check string is the primary use case for typical end-users, who are
+# working with resources that belong within a project (e.g., managing shares or
+# share replicas). These users don't require all the authorization that
+# administrators typically have.
+PROJECT_MEMBER = 'rule:project-member'
+
+# This check string should only be used to protect read-only project-specific
+# resources. It should not be used to protect APIs that make writable changes
+# (e.g., updating a share or snapshot). This persona is useful for someone who
+# needs access for auditing or even support.
+PROJECT_READER = 'rule:project-reader'
+
+ADMIN_OR_PROJECT_MEMBER = f'({ADMIN}) or ({PROJECT_MEMBER})'
+ADMIN_OR_PROJECT_READER = f'({ADMIN}) or ({PROJECT_READER})'
+
+# Old, "unscoped", deprecated check strings to be removed. Do not use these
+# in default RBAC any longer. These can be removed after "enforce_scope"
+# defaults to True in oslo.policy
 RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN_API = 'rule:admin_api'
 RULE_DEFAULT = 'rule:default'
 
 deprecation_msg = ("The `context_is_admin` check is superseded by more "
-                   "specific check strings that consume system and project "
+                   "specific check strings that consume project "
                    "scope attributes from keystone tokens.")
 DEPRECATED_CONTEXT_IS_ADMIN = policy.DeprecatedRule(
     name='context_is_admin',
@@ -30,76 +57,8 @@ DEPRECATED_CONTEXT_IS_ADMIN = policy.DeprecatedRule(
     deprecated_since=versionutils.deprecated.WALLABY
 )
 
-# Generic policy check string for system administrators. These are the people
-# who need the highest level of authorization to operate the deployment.
-# They're allowed to create, read, update, or delete any system-specific
-# resource. They can also operate on project-specific resources where
-# applicable (e.g., cleaning up shares or snapshots).
-SYSTEM_ADMIN = 'rule:system-admin'
-
-# Generic policy check string for system users who don't require all the
-# authorization that system administrators typically have. This persona, or
-# check string, typically isn't used by default, but it's existence it useful
-# in the event a deployment wants to offload some administrative action from
-# system administrator to system members.
-SYSTEM_MEMBER = 'rule:system-member'
-
-# Generic policy check string for read-only access to system-level resources.
-# This persona is useful for someone who needs access for auditing or even
-# support. These uses are also able to view project-specific resources where
-# applicable (e.g., listing all shares in the deployment, regardless of the
-# project they belong to).
-SYSTEM_READER = 'rule:system-reader'
-
-# This check string is reserved for actions that require the highest level of
-# authorization on a project or resources within the project (e.g., resyncing a
-# share replica).
-PROJECT_ADMIN = 'rule:project-admin'
-
-# This check string is the primary use case for typical end-users, who are
-# working with resources that belong to a project (e.g., managing shares or
-# share replicas).
-PROJECT_MEMBER = 'rule:project-member'
-
-# This check string should only be used to protect read-only project-specific
-# resources. It should not be used to protect APIs that make writable changes
-# (e.g., updating a share or snapshot).
-PROJECT_READER = 'rule:project-reader'
-
-# The following are common composite check strings that are useful for
-# protecting APIs designed to operate with multiple scopes (e.g., a system
-# administrator should be able to delete any share in the deployment, a
-# project member should only be able to delete shares in their project).
-SYSTEM_ADMIN_OR_PROJECT_ADMIN = (
-    '(' + SYSTEM_ADMIN + ') or (' + PROJECT_ADMIN + ')'
-)
-SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
-    '(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')'
-)
-SYSTEM_OR_PROJECT_READER = (
-    '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')'
-)
-
 rules = [
     # ***Default OpenStack scoped personas*** #
-    policy.RuleDefault(
-        name='system-admin',
-        check_str='role:admin and '
-                  'system_scope:all',
-        description='System scoped Administrator',
-        scope_types=['system']),
-    policy.RuleDefault(
-        name='system-member',
-        check_str='role:member and '
-                  'system_scope:all',
-        description='System scoped Member',
-        scope_types=['system']),
-    policy.RuleDefault(
-        name='system-reader',
-        check_str='role:reader and '
-                  'system_scope:all',
-        description='System scoped Reader',
-        scope_types=['system']),
     policy.RuleDefault(
         name='project-admin',
         check_str='role:admin and '
@@ -122,10 +81,10 @@ rules = [
     # ***Special personas for Manila*** #
     policy.RuleDefault(
         name='context_is_admin',
-        check_str='rule:system-admin',
+        check_str='role:admin',
         description='Privileged users checked via "context.is_admin"',
         deprecated_rule=DEPRECATED_CONTEXT_IS_ADMIN,
-        scope_types=['system']),
+        scope_types=['project']),
 
     # ***Legacy/deprecated unscoped rules*** #
     # can be removed after "enforce_scope" defaults to True in oslo.policy

manila/policies/message.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'message:%s'
 
 DEPRECATED_REASON = """
-The messages API now supports system scope and default roles.
+The messages API now supports scope and default roles.
 """
 
 deprecated_message_get = policy.DeprecatedRule(
@@ -45,8 +45,8 @@ deprecated_message_delete = policy.DeprecatedRule(
 message_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a given message.",
         operations=[
             {
@@ -58,8 +58,8 @@ message_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all messages.",
         operations=[
             {
@@ -75,8 +75,8 @@ message_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete a message.",
         operations=[
             {

manila/policies/quota_class_set.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'quota_class_set:%s'
 
 DEPRECATED_REASON = """
-The quota class API now supports system scope and default roles.
+The quota class API now supports scope and default roles.
 """
 
 deprecated_quota_class_update = policy.DeprecatedRule(
@@ -39,8 +39,8 @@ deprecated_quota_class_show = policy.DeprecatedRule(
 quota_class_set_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Update quota class.",
         operations=[
             {
@@ -56,8 +56,8 @@ quota_class_set_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get quota class.",
         operations=[
             {

manila/policies/quota_set.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'quota_set:%s'
 
 DEPRECATED_REASON = """
-The quota API now supports system scope and default roles.
+The quota API now supports scope and default roles.
 """
 
 deprecated_quota_update = policy.DeprecatedRule(
@@ -45,78 +45,78 @@ deprecated_quota_delete = policy.DeprecatedRule(
 quota_set_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description=("Update the quotas for a project/user and/or share "
                      "type."),
         operations=[
             {
                 'method': 'PUT',
-                'path': '/quota-sets/{tenant_id}'
+                'path': '/quota-sets/{project_id}'
             },
             {
                 'method': 'PUT',
-                'path': '/quota-sets/{tenant_id}?user_id={user_id}'
+                'path': '/quota-sets/{project_id}?user_id={user_id}'
             },
             {
                 'method': 'PUT',
-                'path': '/quota-sets/{tenant_id}?share_type={share_type_id}'
+                'path': '/quota-sets/{project_id}?share_type={share_type_id}'
             },
             {
                 'method': 'PUT',
-                'path': '/os-quota-sets/{tenant_id}'
+                'path': '/os-quota-sets/{project_id}'
             },
             {
                 'method': 'PUT',
-                'path': '/os-quota-sets/{tenant_id}?user_id={user_id}'
+                'path': '/os-quota-sets/{project_id}?user_id={user_id}'
             },
         ],
         deprecated_rule=deprecated_quota_update
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="List the quotas for a tenant/user.",
+        description="List the quotas for a project/user.",
         operations=[
             {
                 'method': 'GET',
-                'path': '/quota-sets/{tenant_id}/defaults'
+                'path': '/quota-sets/{project_id}/defaults'
             },
             {
                 'method': 'GET',
-                'path': '/os-quota-sets/{tenant_id}/defaults'
+                'path': '/os-quota-sets/{project_id}/defaults'
             }
         ],
         deprecated_rule=deprecated_quota_show
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
-        description=("Delete quota for a tenant/user or "
+        description=("Delete quota for a project/user or "
-                     "tenant/share-type. The quota will revert back to "
+                     "project/share-type. The quota will revert back to "
                      "default (Admin only)."),
         operations=[
             {
                 'method': 'DELETE',
-                'path': '/quota-sets/{tenant_id}'
+                'path': '/quota-sets/{project_id}'
             },
             {
                 'method': 'DELETE',
-                'path': '/quota-sets/{tenant_id}?user_id={user_id}'
+                'path': '/quota-sets/{project_id}?user_id={user_id}'
             },
             {
                 'method': 'DELETE',
-                'path': '/quota-sets/{tenant_id}?share_type={share_type_id}'
+                'path': '/quota-sets/{project_id}?share_type={share_type_id}'
             },
             {
                 'method': 'DELETE',
-                'path': '/os-quota-sets/{tenant_id}'
+                'path': '/os-quota-sets/{project_id}'
             },
             {
                 'method': 'DELETE',
-                'path': '/os-quota-sets/{tenant_id}?user_id={user_id}'
+                'path': '/os-quota-sets/{project_id}?user_id={user_id}'
             },
         ],
         deprecated_rule=deprecated_quota_delete

manila/policies/scheduler_stats.py

@@ -39,15 +39,11 @@ deprecated_pool_detail = policy.DeprecatedRule(
 scheduler_stats_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get information regarding backends "
                     "(and storage pools) known to the scheduler.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/scheduler-stats/pools'
-            },
             {
                 'method': 'GET',
                 'path': '/scheduler-stats/pools?{query}'
@@ -57,8 +53,8 @@ scheduler_stats_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'detail',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get detailed information regarding backends "
                     "(and storage pools) known to the scheduler.",
         operations=[
@@ -66,10 +62,6 @@ scheduler_stats_policies = [
                 'method': 'GET',
                 'path': '/scheduler-stats/pools/detail?{query}'
             },
-            {
-                'method': 'GET',
-                'path': '/scheduler-stats/pools/detail'
-            }
         ],
         deprecated_rule=deprecated_pool_detail
     ),

manila/policies/security_service.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'security_service:%s'
 
 DEPRECATED_REASON = """
-The security service API now supports system scope and default roles.
+The security service API now supports scope and default roles.
 """
 
 deprecated_security_service_create = policy.DeprecatedRule(
@@ -69,8 +69,8 @@ deprecated_security_service_get_all = policy.DeprecatedRule(
 security_service_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create security service.",
         operations=[
             {
@@ -82,8 +82,8 @@ security_service_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a security service.",
         operations=[
             {
@@ -95,31 +95,23 @@ security_service_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'detail',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of all security services.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/security-services/detail?{query}'
             },
-            {
-                'method': 'GET',
-                'path': '/security-services/detail'
-            }
         ],
         deprecated_rule=deprecated_security_service_detail
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="Get all security services.",
+        description="Get all security services under a project.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/security-services'
-            },
             {
                 'method': 'GET',
                 'path': '/security-services?{query}'
@@ -129,8 +121,8 @@ security_service_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update a security service.",
         operations=[
             {
@@ -142,8 +134,8 @@ security_service_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete a security service.",
         operations=[
             {
@@ -155,8 +147,8 @@ security_service_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all_security_services',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get security services of all projects.",
         operations=[
             {

manila/policies/service.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'service:%s'
 
 DEPRECATED_REASON = """
-The service API now supports system scope and default roles.
+The service API now supports scope and default roles.
 """
 
 deprecated_service_index = policy.DeprecatedRule(
@@ -39,22 +39,14 @@ deprecated_service_update = policy.DeprecatedRule(
 service_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Return a list of all running services.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/os-services',
-            },
             {
                 'method': 'GET',
                 'path': '/os-services?{query}',
             },
-            {
-                'method': 'GET',
-                'path': '/services',
-            },
             {
                 'method': 'GET',
                 'path': '/services?{query}',
@@ -64,8 +56,8 @@ service_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Enable/Disable scheduling for a service.",
         operations=[
             {

manila/policies/share_access.py

@@ -22,7 +22,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_access_rule:%s'
 
 DEPRECATED_REASON = """
-The share access rule API now supports system scope and default roles.
+The share access rule API now supports scope and default roles.
 """
 
 deprecated_access_rule_get = policy.DeprecatedRule(
@@ -42,8 +42,8 @@ deprecated_access_rule_index = policy.DeprecatedRule(
 share_access_rule_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a share access rule.",
         operations=[
             {
@@ -55,8 +55,8 @@ share_access_rule_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="List access rules of a given share.",
         operations=[
             {

manila/policies/share_access_metadata.py

@@ -42,8 +42,8 @@ deprecated_access_metadata_delete = policy.DeprecatedRule(
 share_access_rule_metadata_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Set metadata for a share access rule.",
         operations=[
             {
@@ -55,8 +55,8 @@ share_access_rule_metadata_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete metadata for a share access rule.",
         operations=[
             {

manila/policies/share_export_location.py

@@ -39,8 +39,8 @@ deprecated_export_location_show = policy.DeprecatedRule(
 share_export_location_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all export locations of a given share.",
         operations=[
             {
@@ -52,8 +52,8 @@ share_export_location_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details about the requested export location.",
         operations=[
             {

manila/policies/share_group.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_group:%s'
 
 DEPRECATED_REASON = """
-The share group API now supports system scope and default roles.
+The share group API now supports scope and default roles.
 """
 
 deprecated_share_group_create = policy.DeprecatedRule(
@@ -69,8 +69,8 @@ deprecated_share_group_reset_status = policy.DeprecatedRule(
 share_group_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create share group.",
         operations=[
             {
@@ -82,8 +82,8 @@ share_group_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a share group.",
         operations=[
             {
@@ -95,18 +95,10 @@ share_group_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all share groups.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/share-groups'
-            },
-            {
-                'method': 'GET',
-                'path': '/share-groups/detail'
-            },
             {
                 'method': 'GET',
                 'path': '/share-groups?{query}'
@@ -120,8 +112,8 @@ share_group_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update share group.",
         operations=[
             {
@@ -133,8 +125,8 @@ share_group_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete share group.",
         operations=[
             {
@@ -146,8 +138,8 @@ share_group_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Force delete a share group.",
         operations=[
             {
@@ -159,8 +151,8 @@ share_group_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Reset share group's status.",
         operations=[
             {

manila/policies/share_group_snapshot.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_group_snapshot:%s'
 
 DEPRECATED_REASON = """
-The share group snapshots API now supports system scope and default roles.
+The share group snapshots API now supports scope and default roles.
 """
 
 deprecated_group_snapshot_create = policy.DeprecatedRule(
@@ -69,8 +69,8 @@ deprecated_group_snapshot_reset_status = policy.DeprecatedRule(
 share_group_snapshot_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create a new share group snapshot.",
         operations=[
             {
@@ -82,8 +82,8 @@ share_group_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a share group snapshot.",
         operations=[
             {
@@ -95,21 +95,13 @@ share_group_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all share group snapshots.",
         operations=[
             {
                 'method': 'GET',
-                'path': '/share-group-snapshots'
+                'path': '/share-group-snapshots?{query}'
-            },
-            {
-                'method': 'GET',
-                'path': '/share-group-snapshots/detail'
-            },
-            {
-                'method': 'GET',
-                'path': '/share-group-snapshots/{query}'
             },
             {
                 'method': 'GET',
@@ -120,8 +112,8 @@ share_group_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update a share group snapshot.",
         operations=[
             {
@@ -133,8 +125,8 @@ share_group_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete a share group snapshot.",
         operations=[
             {
@@ -146,8 +138,8 @@ share_group_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Force delete a share group snapshot.",
         operations=[
             {
@@ -160,8 +152,8 @@ share_group_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Reset a share group snapshot's status.",
         operations=[
             {

manila/policies/share_group_type.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_group_type:%s'
 
 DEPRECATED_REASON = """
-The share group type API now supports system scope and default roles.
+The share group type API now supports scope and default roles.
 """
 
 deprecated_share_group_type_create = policy.DeprecatedRule(
@@ -75,8 +75,8 @@ deprecated_share_group_type_remove_project = policy.DeprecatedRule(
 share_group_type_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Create a new share group type.",
         operations=[
             {
@@ -88,14 +88,10 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get the list of share group types.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/share-group-types',
-            },
             {
                 'method': 'GET',
                 'path': '/share-group-types?is_public=all',
@@ -105,8 +101,8 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details regarding the specified share group type.",
         operations=[
             {
@@ -118,8 +114,8 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'default',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get the default share group type.",
         operations=[
             {
@@ -131,8 +127,8 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Delete an existing group type.",
         operations=[
             {
@@ -144,8 +140,8 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list_project_access',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get project access by share group type.",
         operations=[
             {
@@ -157,8 +153,8 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add_project_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Allow project to use the share group type.",
         operations=[
             {
@@ -170,8 +166,8 @@ share_group_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove_project_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Deny project access to use the share group type.",
         operations=[
             {

manila/policies/share_group_types_spec.py

@@ -57,8 +57,8 @@ deprecated_group_type_spec_delete = policy.DeprecatedRule(
 share_group_types_spec_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Create share group type specs.",
         operations=[
             {
@@ -70,8 +70,8 @@ share_group_types_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get share group type specs.",
         operations=[
             {
@@ -83,8 +83,8 @@ share_group_types_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get details of a share group type spec.",
         operations=[
             {
@@ -97,8 +97,8 @@ share_group_types_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Update a share group type spec.",
         operations=[
             {
@@ -111,8 +111,8 @@ share_group_types_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Delete a share group type spec.",
         operations=[
             {

manila/policies/share_instance.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_instance:%s'
 
 DEPRECATED_REASON = """
-The share instances API now supports system scope and default roles.
+The share instances API now supports scope and default roles.
 """
 
 deprecated_share_instances_index = policy.DeprecatedRule(
@@ -51,8 +51,8 @@ deprecated_share_instance_reset_status = policy.DeprecatedRule(
 shares_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get all share instances.",
         operations=[
             {
@@ -68,8 +68,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get details of a share instance.",
         operations=[
             {
@@ -81,8 +81,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Force delete a share instance.",
         operations=[
             {
@@ -94,8 +94,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Reset share instance's status.",
         operations=[
             {

manila/policies/share_instance_export_location.py

@@ -22,8 +22,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_instance_export_location:%s'
 
 DEPRECATED_REASON = """
-The share instance export location API now supports system scope and default
+The share instance export location API now supports scope and default roles.
-roles.
 """
 
 deprecated_instance_export_location_index = policy.DeprecatedRule(
@@ -43,8 +42,8 @@ deprecated_instance_export_location_show = policy.DeprecatedRule(
 share_export_location_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Return data about the requested export location.',
         operations=[
             {
@@ -57,8 +56,8 @@ share_export_location_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Return data about the requested export location.',
         operations=[
             {

manila/policies/share_network.py

@@ -110,8 +110,8 @@ deprecated_share_network_subnet_create_check = policy.DeprecatedRule(
 share_network_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create share network.",
         operations=[
             {
@@ -123,8 +123,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a share network.",
         operations=[
             {
@@ -136,14 +136,10 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="Get all share networks.",
+        description="Get all share networks under a project.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/share-networks'
-            },
             {
                 'method': 'GET',
                 'path': '/share-networks?{query}'
@@ -153,25 +149,21 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'detail',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="Get details of share networks .",
+        description="Get details of share networks under a project.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/share-networks/detail?{query}'
             },
-            {
-                'method': 'GET',
-                'path': '/share-networks/detail'
-            },
         ],
         deprecated_rule=deprecated_share_network_detail
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update a share network.",
         operations=[
             {
@@ -183,8 +175,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete a share network.",
         operations=[
             {
@@ -196,8 +188,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add_security_service',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Add security service to share network.",
         operations=[
             {
@@ -209,8 +201,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add_security_service_check',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Check the feasibility of add security service to a share "
                     "network.",
         operations=[
@@ -223,8 +215,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove_security_service',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Remove security service from share network.",
         operations=[
             {
@@ -236,8 +228,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update_security_service',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update security service from share network.",
         operations=[
             {
@@ -249,8 +241,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update_security_service_check',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Check the feasibility of update a security service from "
                     "share network.",
         operations=[
@@ -263,8 +255,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Reset share network`s status.",
         operations=[
             {
@@ -276,8 +268,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all_share_networks',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get share networks belonging to all projects.",
         operations=[
             {
@@ -293,8 +285,8 @@ share_network_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'subnet_create_check',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Check the feasibility of create a new share network "
                     "subnet for share network.",
         operations=[

manila/policies/share_network_subnet.py

@@ -21,7 +21,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_network_subnet:%s'
 
 DEPRECATED_REASON = """
-The share network subnet API now supports system scope and default roles.
+The share network subnet API now supports scope and default roles.
 """
 
 deprecated_subnet_create = policy.DeprecatedRule(
@@ -53,8 +53,8 @@ deprecated_subnet_index = policy.DeprecatedRule(
 share_network_subnet_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create a new share network subnet.",
         operations=[
             {
@@ -66,8 +66,8 @@ share_network_subnet_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete a share network subnet.",
         operations=[
             {
@@ -80,8 +80,8 @@ share_network_subnet_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Shows a share network subnet.",
         operations=[
             {
@@ -94,8 +94,8 @@ share_network_subnet_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all share network subnets.",
         operations=[
             {

manila/policies/share_replica.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_replica:%s'
 
 DEPRECATED_REASON = """
-The share replica API now supports system scope and default roles.
+The share replica API now supports scope and default roles.
 """
 
 deprecated_replica_create = policy.DeprecatedRule(
@@ -81,8 +81,8 @@ deprecated_replica_reset_status = policy.DeprecatedRule(
 share_replica_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create share replica.",
         operations=[
             {
@@ -94,8 +94,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all share replicas.",
         operations=[
             {
@@ -115,8 +115,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a share replica.",
         operations=[
             {
@@ -128,8 +128,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete a share replica.",
         operations=[
             {
@@ -141,8 +141,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Force delete a share replica.",
         operations=[
             {
@@ -154,8 +154,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'promote',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Promote a non-active share replica to active.",
         operations=[
             {
@@ -167,8 +167,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'resync',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Resync a share replica that is out of sync.",
         operations=[
             {
@@ -180,8 +180,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_replica_state',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Reset share replica's replica_state attribute.",
         operations=[
             {
@@ -193,8 +193,8 @@ share_replica_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Reset share replica's status.",
         operations=[
             {

manila/policies/share_replica_export_location.py

@@ -19,8 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_replica_export_location:%s'
 
 DEPRECATED_REASON = """
-The share replica export location API now supports system scope and default
+The share replica export location API now supports scope and default roles.
-roles.
 """
 
 deprecated_replica_location_index = policy.DeprecatedRule(
@@ -40,8 +39,8 @@ deprecated_replica_location_show = policy.DeprecatedRule(
 share_replica_export_location_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all export locations of a given share replica.",
         operations=[
             {
@@ -53,8 +52,8 @@ share_replica_export_location_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details about the requested share replica export "
                     "location.",
         operations=[

manila/policies/share_server.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_server:%s'
 
 DEPRECATED_REASON = """
-The share server API now supports system scope and default roles.
+The share server API now supports scope and default roles.
 """
 
 deprecated_server_index = policy.DeprecatedRule(
@@ -105,14 +105,10 @@ deprecated_server_reset_task_state = policy.DeprecatedRule(
 share_server_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get share servers.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/share-servers',
-            },
             {
                 'method': 'GET',
                 'path': '/share-servers?{query}',
@@ -122,8 +118,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Show share server.",
         operations=[
             {
@@ -135,8 +131,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'details',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get share server details.",
         operations=[
             {
@@ -148,8 +144,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Delete share server.",
         operations=[
             {
@@ -161,8 +157,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'manage_share_server',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Manage share server.",
         operations=[
             {
@@ -174,8 +170,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'unmanage_share_server',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Unmanage share server.",
         operations=[
             {
@@ -187,8 +183,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Reset the status of a share server.",
         operations=[
             {
@@ -200,8 +196,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'share_server_migration_start',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Migrates a share server to the specified host.",
         operations=[
             {
@@ -213,8 +209,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'share_server_migration_check',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Check if can migrates a share server to the specified "
                     "host.",
         operations=[
@@ -227,8 +223,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'share_server_migration_complete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Invokes the 2nd phase of share server migration.",
         operations=[
             {
@@ -240,8 +236,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'share_server_migration_cancel',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Attempts to cancel share server migration.",
         operations=[
             {
@@ -253,8 +249,8 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'share_server_migration_get_progress',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description=("Retrieves the share server migration progress for a "
                      "given share server."),
         operations=[
@@ -267,9 +263,9 @@ share_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'share_server_reset_task_state',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
-        description=("Resets task state."),
+        description="Resets task state.",
         operations=[
             {
                 'method': 'POST',

manila/policies/share_snapshot.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_snapshot:%s'
 
 DEPRECATED_REASON = """
-The share snapshot API now supports system scope and default roles.
+The share snapshot API now supports scope and default roles.
 """
 
 deprecated_snapshot_get = policy.DeprecatedRule(
@@ -99,8 +99,8 @@ deprecated_get_snapshot_metadata = policy.DeprecatedRule(
 share_snapshot_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_snapshot',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get share snapshot.",
         operations=[
             {
@@ -112,18 +112,10 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all_snapshots',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get all share snapshots.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/snapshots'
-            },
-            {
-                'method': 'GET',
-                'path': '/snapshots/detail'
-            },
             {
                 'method': 'GET',
                 'path': '/snapshots?{query}'
@@ -137,8 +129,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Force Delete a share snapshot.",
         operations=[
             {
@@ -150,8 +142,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'manage_snapshot',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Manage share snapshot.",
         operations=[
             {
@@ -163,8 +155,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'unmanage_snapshot',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Unmanage share snapshot.",
         operations=[
             {
@@ -176,8 +168,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Reset status.",
         operations=[
             {
@@ -189,8 +181,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'access_list',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="List access rules of a share snapshot.",
         operations=[
             {
@@ -202,8 +194,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'allow_access',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Allow access to a share snapshot.",
         operations=[
             {
@@ -215,8 +207,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'deny_access',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Deny access to a share snapshot.",
         operations=[
             {
@@ -228,8 +220,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update_metadata',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update snapshot metadata.",
         operations=[
             {
@@ -249,8 +241,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete_metadata',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete snapshot metadata.",
         operations=[
             {
@@ -262,8 +254,8 @@ share_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_metadata',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get snapshot metadata.",
         operations=[
             {

manila/policies/share_snapshot_export_location.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_snapshot_export_location:%s'
 
 DEPRECATED_REASON = """
-The share snapshot location API now supports system scope and default roles.
+The share snapshot location API now supports scope and default roles.
 """
 
 deprecated_snapshot_location_index = policy.DeprecatedRule(
@@ -39,8 +39,8 @@ deprecated_snapshot_location_show = policy.DeprecatedRule(
 share_snapshot_export_location_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="List export locations of a share snapshot.",
         operations=[
             {
@@ -52,8 +52,8 @@ share_snapshot_export_location_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get details of a specified export location of a "
                     "share snapshot.",
         operations=[

manila/policies/share_snapshot_instance.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_snapshot_instance:%s'
 
 DEPRECATED_REASON = """
-The share snapshot instance API now supports system scope and default roles.
+The share snapshot instance API now supports scope and default roles.
 """
 
 deprecated_snapshot_instance_show = policy.DeprecatedRule(
@@ -51,8 +51,8 @@ deprecated_snapshot_instance_reset_status = policy.DeprecatedRule(
 share_snapshot_instance_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get share snapshot instance.",
         operations=[
             {
@@ -64,14 +64,10 @@ share_snapshot_instance_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get all share snapshot instances.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/snapshot-instances',
-            },
             {
                 'method': 'GET',
                 'path': '/snapshot-instances?{query}',
@@ -81,14 +77,10 @@ share_snapshot_instance_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'detail',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get details of share snapshot instances.",
         operations=[
-            {
-                'method': 'GET',
-                'path': '/snapshot-instances/detail',
-            },
             {
                 'method': 'GET',
                 'path': '/snapshot-instances/detail?{query}',
@@ -98,8 +90,8 @@ share_snapshot_instance_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Reset share snapshot instance's status.",
         operations=[
             {

manila/policies/share_snapshot_instance_export_location.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_snapshot_instance_export_location:%s'
 
 DEPRECATED_REASON = """
-The share snapshot instance export location API now supports system scope and
+The share snapshot instance export location API now supports scope and
 default roles.
 """
 
@@ -40,8 +40,8 @@ deprecated_snapshot_instance_show = policy.DeprecatedRule(
 share_snapshot_instance_export_location_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="List export locations of a share snapshot instance.",
         operations=[
             {
@@ -54,8 +54,8 @@ share_snapshot_instance_export_location_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Show details of a specified export location of a share "
                     "snapshot instance.",
         operations=[

manila/policies/share_type.py

@@ -22,7 +22,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_type:%s'
 
 DEPRECATED_REASON = """
-The share type API now supports system scope and default roles.
+The share type API now supports scope and default roles.
 """
 
 deprecated_share_type_create = policy.DeprecatedRule(
@@ -84,8 +84,8 @@ deprecated_share_type_remove_project_access = policy.DeprecatedRule(
 share_type_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Create share type.',
         operations=[
             {
@@ -97,8 +97,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Update share type.',
         operations=[
             {
@@ -110,8 +110,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Get share type.',
         operations=[
             {
@@ -123,14 +123,10 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='List share types.',
         operations=[
-            {
-                'method': 'GET',
-                'path': '/types',
-            },
             {
                 'method': 'GET',
                 'path': '/types?is_public=all',
@@ -140,8 +136,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'default',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Get default share type.',
         operations=[
             {
@@ -153,8 +149,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Delete share type.',
         operations=[
             {
@@ -166,8 +162,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list_project_access',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='List share type project access.',
         operations=[
             {
@@ -179,8 +175,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add_project_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Add share type to project.',
         operations=[
             {
@@ -192,8 +188,8 @@ share_type_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove_project_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description='Remove share type from project.',
         operations=[
             {

manila/policies/share_types_extra_spec.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share_types_extra_spec:%s'
 
 DEPRECATED_REASON = """
-The share types extra specs API now supports system scope and default roles.
+The share types extra specs API now supports scope and default roles.
 """
 
 deprecated_extra_spec_create = policy.DeprecatedRule(
@@ -57,8 +57,8 @@ deprecated_extra_spec_delete = policy.DeprecatedRule(
 share_types_extra_spec_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Create share type extra spec.",
         operations=[
             {
@@ -70,8 +70,8 @@ share_types_extra_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get share type extra specs of a given share type.",
         operations=[
             {
@@ -83,8 +83,8 @@ share_types_extra_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Get details of a share type extra spec.",
         operations=[
             {
@@ -96,8 +96,8 @@ share_types_extra_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Update share type extra spec.",
         operations=[
             {
@@ -109,8 +109,8 @@ share_types_extra_spec_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Delete share type extra spec.",
         operations=[
             {

manila/policies/shares.py

@@ -19,7 +19,7 @@ from manila.policies import base
 BASE_POLICY_NAME = 'share:%s'
 
 DEPRECATED_REASON = """
-The share API now supports system scope and default roles.
+The share API now supports scope and default roles.
 """
 
 # Deprecated share policies
@@ -222,8 +222,8 @@ deprecated_update_admin_only_metadata = policy.DeprecatedRule(
 shares_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create share.",
         operations=[
             {
@@ -235,8 +235,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create_public_share',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Create shares visible across all projects in the cloud.",
         operations=[
             {
@@ -248,8 +248,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get share.",
         operations=[
             {
@@ -261,52 +261,52 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_all',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="List shares.",
         operations=[
             {
                 'method': 'GET',
-                'path': '/shares',
+                'path': '/shares?{query}',
             },
             {
                 'method': 'GET',
-                'path': '/shares/detail',
+                'path': '/shares/detail?{query}',
             }
         ],
         deprecated_rule=deprecated_share_get_all
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="Update share.",
+        description="Update a share.",
         operations=[
             {
                 'method': 'PUT',
-                'path': '/shares',
+                'path': '/shares/{share_id}',
             }
         ],
         deprecated_rule=deprecated_share_update
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'set_public_share',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
-        description="Update shares to be visible across all projects in the "
+        description="Update a share to be visible across all projects in the "
                     "cloud.",
         operations=[
             {
                 'method': 'PUT',
-                'path': '/shares',
+                'path': '/shares/{share_id}',
             }
         ],
         deprecated_rule=deprecated_share_set_public
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete share.",
         operations=[
             {
@@ -318,8 +318,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'soft_delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Soft Delete a share.",
         operations=[
             {
@@ -330,8 +330,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'restore',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Restore a share.",
         operations=[
             {
@@ -342,8 +342,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_delete',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Force Delete a share.",
         operations=[
             {
@@ -355,8 +355,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'manage',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Manage share.",
         operations=[
             {
@@ -368,8 +368,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'unmanage',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Unmanage share.",
         operations=[
             {
@@ -381,43 +381,43 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list_by_host',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="List share by host.",
         operations=[
             {
                 'method': 'GET',
-                'path': '/shares',
+                'path': '/shares?host={host}',
             },
             {
                 'method': 'GET',
-                'path': '/shares/detail',
+                'path': '/shares/detail?host={host}',
             }
         ],
         deprecated_rule=deprecated_share_list_by_host
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list_by_share_server_id',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="List share by server id.",
         operations=[
             {
                 'method': 'GET',
-                'path': '/shares'
+                'path': '/shares?share_server_id={share_server_id}'
             },
             {
                 'method': 'GET',
-                'path': '/shares/detail',
+                'path': '/shares/detail?share_server_id={share_server_id}',
             }
         ],
         deprecated_rule=deprecated_share_list_by_server_id
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'access_get',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="Get share access rule, it under deny access operation.",
+        description="Get share access rule (deprecated in API version 2.45).",
         operations=[
             {
                 'method': 'POST',
@@ -428,9 +428,10 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'access_get_all',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description="List share access rules.",
+        description=("List share access rules (deprecated in API "
+                     "version 2.45)."),
         operations=[
             {
                 'method': 'GET',
@@ -441,8 +442,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'extend',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Extend share.",
         operations=[
             {
@@ -454,8 +455,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force_extend',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Force extend share.",
         operations=[
             {
@@ -465,8 +466,8 @@ shares_policies = [
         ]),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'shrink',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Shrink share.",
         operations=[
             {
@@ -478,8 +479,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'migration_start',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description="Migrate a share to the specified host.",
         operations=[
             {
@@ -491,9 +492,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'migration_complete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
-        description="Invokes 2nd phase of share migration.",
+        description="Invoke 2nd phase of share migration.",
         operations=[
             {
                 'method': 'POST',
@@ -504,9 +505,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'migration_cancel',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
-        description="Attempts to cancel share migration.",
+        description="Attempt to cancel share migration.",
         operations=[
             {
                 'method': 'POST',
@@ -517,8 +518,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'migration_get_progress',
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
-        scope_types=['system'],
+        scope_types=['project'],
         description=("Retrieve share migration progress for a given "
                      "share."),
         operations=[
@@ -531,9 +532,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_task_state',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Reset task state."),
+        description="Reset task state.",
         operations=[
             {
                 'method': 'POST',
@@ -544,9 +545,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'reset_status',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Reset status."),
+        description="Reset status.",
         operations=[
             {
                 'method': 'POST',
@@ -557,9 +558,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'revert_to_snapshot',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Revert a share to a snapshot."),
+        description="Revert a share to a snapshot.",
         operations=[
             {
                 'method': 'POST',
@@ -570,9 +571,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'allow_access',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Add share access rule."),
+        description="Add share access rule.",
         operations=[
             {
                 'method': 'POST',
@@ -583,9 +584,9 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'deny_access',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Remove share access rule."),
+        description="Remove share access rule.",
         operations=[
             {
                 'method': 'POST',
@@ -596,8 +597,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update_share_metadata',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Update share metadata.",
         operations=[
             {
@@ -617,8 +618,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete_share_metadata',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Delete share metadata.",
         operations=[
             {
@@ -630,8 +631,8 @@ shares_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get_share_metadata',
-        check_str=base.SYSTEM_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Get share metadata.",
         operations=[
             {
@@ -653,8 +654,8 @@ shares_policies = [
 base_snapshot_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create_snapshot',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description="Create share snapshot.",
         operations=[
             {
@@ -666,9 +667,9 @@ base_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete_snapshot',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Delete share snapshot."),
+        description="Delete share snapshot.",
         operations=[
             {
                 'method': 'DELETE',
@@ -679,9 +680,9 @@ base_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'snapshot_update',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
-        description=("Update share snapshot."),
+        description="Update share snapshot.",
         operations=[
             {
                 'method': 'PUT',
@@ -692,8 +693,8 @@ base_snapshot_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'update_admin_only_metadata',
-        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        check_str=base.ADMIN,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description=(
             "Update metadata items that are considered \"admin only\" "
             "by the service."),

releasenotes/notes/zed-secure-rbac-direction-change-2329bbf442b9a2da.yaml

@@ -0,0 +1,18 @@
+---
+prelude: >
+    RBAC defaults of all Shared File System service (manila) APIs have been
+    updated to remove "system" scope personas. This is being done in concert
+    with other OpenStack services, and in reaction to operator feedback that
+    the use of system "scope" introduces backwards incompatibility in existing
+    workflows. The new defaults support the use of "scope", however, no RBAC
+    rule by default includes "system" scope. At this time, we do not recommend
+    the use of system scoped personas to interact with the Shared File
+    Systems service (manila) APIs since it is largely un-tested. "reader"
+    role from the OpenStack Identity service (keystone) is fully supported
+    with this release. Currently, these new "defaults" are available as
+    "opt-in" only to prevent breaking existing deployments. To enforce default
+    RBAC rules, set ``[oslo_policy]/enforce_new_defaults`` to True in your
+    deployment. This option will be set to True by default in a future
+    release. See `the OpenStack TC Secure RBAC goal <https://governance.openstack
+    .org/tc/goals/selected/consistent-and-secure-rbac.html>`_ for more
+    information regarding these changes.