Introduce scope_types in server topology

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Appropriate scope_type for nova case:
- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope

This commit introduce scope_type for server topology API policies as:
- 'system' and 'project' for get server topology
- 'system' for get server topology with host info.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Partial implement blueprint policy-defaults-refresh

Change-Id: I69e3c7f6073e8fd6d98aa7a3c7d65f3e2ea0dd86

nova/policies/server_topology.py

@@ -20,27 +20,29 @@ BASE_POLICY_NAME = 'compute:server:topology:%s'
 
 server_topology_policies = [
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME % 'index',
+        name=BASE_POLICY_NAME % 'index',
-        base.RULE_ADMIN_OR_OWNER,
+        check_str=base.RULE_ADMIN_OR_OWNER,
-        "Show the NUMA topology data for a server",
+        description="Show the NUMA topology data for a server",
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/topology'
             }
-        ]),
+        ],
+        scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
         # Control host NUMA node and cpu pinning information
-        BASE_POLICY_NAME % 'host:index',
+        name=BASE_POLICY_NAME % 'host:index',
-        base.RULE_ADMIN_API,
+        check_str=base.RULE_ADMIN_API,
-        "Show the NUMA topology data for a server with host NUMA ID and CPU "
+        description="Show the NUMA topology data for a server with host"
-        "pinning information",
+        "NUMA ID and CPU pinning information",
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/topology'
             }
-        ]),
+        ],
+        scope_types=['system']),
 ]
 
 

nova/tests/unit/policies/test_server_topology.py

@@ -117,3 +117,17 @@ class ServerTopologyScopeTypePolicyTest(ServerTopologyPolicyTest):
     def setUp(self):
         super(ServerTopologyScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to get the server topology
+        # host information.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system/admin is not able to get the server topology
+        # host information.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]