Fix server operations' policies to admin only

Before the following policies were set to admin only operations
by default.

* detail:get_all_tenants
* index:get_all_tenants
* create:forced_host

But currently they are not limited to admin users by default.
They were changed unintentionally in
I71b3d1233255125cb280a000b990329f5b03fdfd.
So set them admin only again.
And a unit test for policy is fixed.

Change-Id: I1c0a4f1ff19d68152953dd6b265a7fb2e0f6271a
Closes-Bug: #1609625
Closes-Bug: #1609691
Closes-Bug: #1611628

nova/policies/servers.py

@@ -22,14 +22,15 @@ SERVERS = 'os_compute_api:servers:%s'
 rules = [
     policy.RuleDefault(SERVERS % 'index', RULE_AOO),
     policy.RuleDefault(SERVERS % 'detail', RULE_AOO),
-    policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO),
-    policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO),
+    policy.RuleDefault(SERVERS % 'detail:get_all_tenants',
+                       base.RULE_ADMIN_API),
+    policy.RuleDefault(SERVERS % 'index:get_all_tenants', base.RULE_ADMIN_API),
     policy.RuleDefault(SERVERS % 'show', RULE_AOO),
     # the details in host_status are pretty sensitive, only admins
     # should do that by default.
     policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API),
     policy.RuleDefault(SERVERS % 'create', RULE_AOO),
-    policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO),
+    policy.RuleDefault(SERVERS % 'create:forced_host', base.RULE_ADMIN_API),
     policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO),
     policy.RuleDefault(SERVERS % 'create:attach_network', RULE_AOO),
     policy.RuleDefault(SERVERS % 'delete', RULE_AOO),

nova/tests/unit/test_policy.py

@@ -493,7 +493,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
     def test_admin_only_rules(self):
         for rule in self.admin_only_rules:
             self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
-                              self.non_admin_context, rule, self.target)
+                              self.non_admin_context, rule,
+                              {'project_id': 'fake', 'user_id': 'fake'})
             policy.authorize(self.admin_context, rule, self.target)
 
     def test_non_admin_only_rules(self):