Remove policy rule for get_network:router:external

In legacy RBAC rules get of the network's router:external attribute was
available for everyone (rule:regular_user). In new S-RBAC rules it was
done to be available for admin users and for PROJECT_READER. This didn't
really had the same result as router:external attribute wasn't visible
for networks which belongs to other project.

Networks which are set to be external are automatically shared with all
other projects and each user from such project should be able to check
every of visible networks if it is external or not.
In overall, extra policy rule for "get_network:router:external" isn't
really necessary and this patch removes it.

Closes-Bug: #1996836
Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0

neutron/conf/policies/network.py

@@ -189,20 +189,6 @@ rules = [
             deprecated_reason=DEPRECATED_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
-    policy.DocumentedRuleDefault(
-        name='get_network:router:external',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_READER),
-        scope_types=['project'],
-        description='Get ``router:external`` attribute of a network',
-        operations=ACTION_GET,
-        deprecated_rule=policy.DeprecatedRule(
-            name='get_network:router:external',
-            check_str=base.RULE_ANY,
-            deprecated_reason=DEPRECATED_REASON,
-            deprecated_since=versionutils.deprecated.WALLABY)
-    ),
     policy.DocumentedRuleDefault(
         name='get_network:segments',
         check_str=base.ADMIN,

neutron/tests/unit/conf/policies/test_network.py

@@ -140,18 +140,6 @@ class SystemAdminTests(NetworkAPITestCase):
             self.context, 'get_network',
             self.alt_target)
 
-    def test_get_network_external(self):
-        self.assertRaises(
-            base_policy.InvalidScope,
-            policy.enforce,
-            self.context, 'get_network:router:external',
-            self.target)
-        self.assertRaises(
-            base_policy.InvalidScope,
-            policy.enforce,
-            self.context, 'get_network:router:external',
-            self.alt_target)
-
     def test_get_network_segments(self):
         self.assertRaises(
             base_policy.InvalidScope,
@@ -403,22 +391,6 @@ class AdminTests(NetworkAPITestCase):
         self.assertTrue(
             policy.enforce(self.context, 'get_network', self.alt_target))
 
-    def test_get_network_external(self):
-        self.assertTrue(
-            policy.enforce(self.context,
-                           'get_network:router:external', self.target))
-        self.assertTrue(
-            policy.enforce(self.context,
-                           'get_network:router:external', self.alt_target))
-
-    def test_get_network_segments(self):
-        self.assertTrue(
-            policy.enforce(self.context,
-                           'get_network:segments', self.target))
-        self.assertTrue(
-            policy.enforce(self.context,
-                           'get_network:segments', self.alt_target))
-
     def test_get_network_provider_network_type(self):
         self.assertTrue(
             policy.enforce(self.context,
@@ -641,15 +613,6 @@ class ProjectMemberTests(AdminTests):
             policy.enforce,
             self.context, 'get_network', self.alt_target)
 
-    def test_get_network_external(self):
-        self.assertTrue(
-            policy.enforce(self.context,
-                           'get_network:router:external', self.target))
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_network:router:external', self.alt_target)
-
     def test_get_network_segments(self):
         self.assertRaises(
             base_policy.PolicyNotAuthorized,