Merge "[Trivial]: Remove unused RBAC default alias"

nova/policies/base.py

@@ -12,10 +12,10 @@
 
 from oslo_policy import policy
 
+# TODO(gmaan): Below alias are deprecated and needs to be removed once we stop
+# supporting the old defaults.
 RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'  # Admins or owners of the resource
 RULE_ADMIN_API = 'rule:admin_api'  # Allow only users with the admin role
-RULE_ANY = '@'  # Any user is allowed to perform the action.
-RULE_NOBODY = '!'  # No users are allowed to perform the action.
 
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
@@ -37,19 +37,23 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
     deprecated_since='21.0.0'
 )
 
+# NOTE(gmaan): We should use the below alias in the policy rule defaults.
+# This will help to keep the definition of admin and various project
+# personas in a consistent way. If any policy rule needs different access
+# permission than what is defined in the existing alias, you can define the
+# new alias.
 ADMIN = 'rule:context_is_admin'
-PROJECT_MEMBER = 'rule:project_manager_api'
-PROJECT_MEMBER = 'rule:project_member_api'
-PROJECT_READER = 'rule:project_reader_api'
+PROJECT_MANAGER_OR_ADMIN = 'rule:project_manager_or_admin'
+PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
+PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
+RULE_ANY = '@'  # Any user is allowed to perform the action.
+RULE_NOBODY = '!'  # No users are allowed to perform the action.
 # TODO(gmaan): Remove the admin role from the service rule in 2026.2. We are
 # continue allowing admin to access the service APIs, otherwise it will break
 # deployment where nova service users in other services are not assigned
 # 'service' role. After one SLURP (2026.1), we can make service APIs only
 # allowed for the 'service' role.
 SERVICE_ROLE = 'rule:service_or_admin'
-PROJECT_MANAGER_OR_ADMIN = 'rule:project_manager_or_admin'
-PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
-PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
 
 # NOTE(gmann): Below is the mapping of new roles with legacy roles::
 

nova/tests/unit/policies/test_lock_server.py

@@ -21,7 +21,6 @@ from nova.api.openstack.compute import lock_server
 from nova.compute import vm_states
 import nova.conf
 from nova import exception
-from nova.policies import base as base_policy
 from nova.policies import lock_server as ls_policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@@ -189,7 +188,7 @@ class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):
     def setUp(self):
         super(LockServerOverridePolicyTest, self).setUp()
         # We are overriding the 'unlock:unlock_override' policy
-        # to PROJECT_MEMBER so testing it with both admin as well
+        # to rule:project_member_api so testing it with both admin as well
         # as project member as allowed context.
         self.project_admin_authorized_contexts = [
             self.project_admin_context, self.project_manager_context,
@@ -201,6 +200,6 @@ class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):
         # make unlock allowed for everyone so that we can check unlock
         # override policy.
         ls_policies.POLICY_ROOT % 'unlock': "@",
-        rule: base_policy.PROJECT_MEMBER}, overwrite=False)
+        rule: "rule:project_member_api"}, overwrite=False)
         super(LockServerOverridePolicyTest,
               self).test_unlock_override_server_policy()

nova/tests/unit/policies/test_migrate_server.py

@@ -181,10 +181,10 @@ class MigrateServerOverridePolicyTest(
         # NOTE(gmann): override the rule to project member and verify it
         # work as policy is system and project scoped.
         self.policy.set_rules({
-            rule_migrate: base_policy.PROJECT_MEMBER,
-            rule_migrate_host: base_policy.PROJECT_MEMBER,
-            rule_live_migrate: base_policy.PROJECT_MEMBER,
-            rule_live_migrate_host: base_policy.PROJECT_MEMBER},
+            rule_migrate: "rule:project_member_api",
+            rule_migrate_host: "rule:project_member_api",
+            rule_live_migrate: "rule:project_member_api",
+            rule_live_migrate_host: "rule:project_member_api"},
             overwrite=False)
 
         # Check that project member role as override above

nova/tests/unit/policies/test_server_diagnostics.py

@@ -17,7 +17,6 @@ from oslo_utils import timeutils
 from nova.api.openstack.compute import server_diagnostics
 from nova.compute import vm_states
 from nova import objects
-from nova.policies import base as base_policy
 from nova.policies import server_diagnostics as policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@@ -127,7 +126,7 @@ class ServerDiagnosticsOverridePolicyTest(
         # NOTE(gmann): override the rule to project member and verify it
         # work as policy is project scoped.
         self.policy.set_rules({
-            rule: base_policy.PROJECT_MEMBER},
+            rule: "rule:project_member_api"},
             overwrite=False)
 
         # Check that project member role as override above

nova/tests/unit/policies/test_server_migrations.py

@@ -264,11 +264,11 @@ class ServerMigrationsOverridePolicyTest(
         # NOTE(gmann): override the rule to project member and verify it
         # work as policy is project scoped.
         self.policy.set_rules({
-            rule_show: base_policy.PROJECT_READER,
-            rule_list: base_policy.PROJECT_READER,
-            rule_list_host: base_policy.PROJECT_READER,
-            rule_force: base_policy.PROJECT_READER,
-            rule_delete: base_policy.PROJECT_READER},
+            rule_show: "rule:project_reader_api",
+            rule_list: "rule:project_reader_api",
+            rule_list_host: "rule:project_reader_api",
+            rule_force: "rule:project_reader_api",
+            rule_delete: "rule:project_reader_api"},
             overwrite=False)
 
         # Check that project reader as override above