From 265ab1349b6bbe98df853a450172fc234be8c58f Mon Sep 17 00:00:00 2001
From: Ghanshyam <gmaan@ghanshyammann.com>
Date: Tue, 25 Nov 2025 21:22:54 +0000
Subject: [PATCH] [Trivial]: Remove unused RBAC default alias

Nova policy defaults use the rule alias from base class.
This helps to achieve the consistency and avoid redefining
the common rules.

This commit keeps the usable alias in base class and remove
the unused one: PROJECT_MANAGER, PROJECT_MEMBER, and
PROJECT_MEMBER (even they should not be used as they do not
let admin to access the APIs).

Change-Id: I5dcb15306f35e2fc00c0780d3db74bf4453b1cab
Signed-off-by: Ghanshyam <gmaan@ghanshyammann.com>
---
 nova/policies/base.py                         | 20 +++++++++++--------
 nova/tests/unit/policies/test_lock_server.py  |  5 ++---
 .../unit/policies/test_migrate_server.py      |  8 ++++----
 .../unit/policies/test_server_diagnostics.py  |  3 +--
 .../unit/policies/test_server_migrations.py   | 10 +++++-----
 5 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/nova/policies/base.py b/nova/policies/base.py
index 70673e555bd8..5d1655590ec0 100644
--- a/nova/policies/base.py
+++ b/nova/policies/base.py
@@ -12,10 +12,10 @@
 
 from oslo_policy import policy
 
+# TODO(gmaan): Below alias are deprecated and needs to be removed once we stop
+# supporting the old defaults.
 RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'  # Admins or owners of the resource
 RULE_ADMIN_API = 'rule:admin_api'  # Allow only users with the admin role
-RULE_ANY = '@'  # Any user is allowed to perform the action.
-RULE_NOBODY = '!'  # No users are allowed to perform the action.
 
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
@@ -37,19 +37,23 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
     deprecated_since='21.0.0'
 )
 
+# NOTE(gmaan): We should use the below alias in the policy rule defaults.
+# This will help to keep the definition of admin and various project
+# personas in a consistent way. If any policy rule needs different access
+# permission than what is defined in the existing alias, you can define the
+# new alias.
 ADMIN = 'rule:context_is_admin'
-PROJECT_MEMBER = 'rule:project_manager_api'
-PROJECT_MEMBER = 'rule:project_member_api'
-PROJECT_READER = 'rule:project_reader_api'
+PROJECT_MANAGER_OR_ADMIN = 'rule:project_manager_or_admin'
+PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
+PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
+RULE_ANY = '@'  # Any user is allowed to perform the action.
+RULE_NOBODY = '!'  # No users are allowed to perform the action.
 # TODO(gmaan): Remove the admin role from the service rule in 2026.2. We are
 # continue allowing admin to access the service APIs, otherwise it will break
 # deployment where nova service users in other services are not assigned
 # 'service' role. After one SLURP (2026.1), we can make service APIs only
 # allowed for the 'service' role.
 SERVICE_ROLE = 'rule:service_or_admin'
-PROJECT_MANAGER_OR_ADMIN = 'rule:project_manager_or_admin'
-PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
-PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
 
 # NOTE(gmann): Below is the mapping of new roles with legacy roles::
 
diff --git a/nova/tests/unit/policies/test_lock_server.py b/nova/tests/unit/policies/test_lock_server.py
index 1486902c5631..ce31b83ee1d9 100644
--- a/nova/tests/unit/policies/test_lock_server.py
+++ b/nova/tests/unit/policies/test_lock_server.py
@@ -21,7 +21,6 @@ from nova.api.openstack.compute import lock_server
 from nova.compute import vm_states
 import nova.conf
 from nova import exception
-from nova.policies import base as base_policy
 from nova.policies import lock_server as ls_policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@@ -189,7 +188,7 @@ class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):
     def setUp(self):
         super(LockServerOverridePolicyTest, self).setUp()
         # We are overriding the 'unlock:unlock_override' policy
-        # to PROJECT_MEMBER so testing it with both admin as well
+        # to rule:project_member_api so testing it with both admin as well
         # as project member as allowed context.
         self.project_admin_authorized_contexts = [
             self.project_admin_context, self.project_manager_context,
@@ -201,6 +200,6 @@ class LockServerOverridePolicyTest(LockServerScopeTypeNoLegacyPolicyTest):
         # make unlock allowed for everyone so that we can check unlock
         # override policy.
         ls_policies.POLICY_ROOT % 'unlock': "@",
-        rule: base_policy.PROJECT_MEMBER}, overwrite=False)
+        rule: "rule:project_member_api"}, overwrite=False)
         super(LockServerOverridePolicyTest,
               self).test_unlock_override_server_policy()
diff --git a/nova/tests/unit/policies/test_migrate_server.py b/nova/tests/unit/policies/test_migrate_server.py
index cf728a2e3bbf..71c02ed336c7 100644
--- a/nova/tests/unit/policies/test_migrate_server.py
+++ b/nova/tests/unit/policies/test_migrate_server.py
@@ -181,10 +181,10 @@ class MigrateServerOverridePolicyTest(
         # NOTE(gmann): override the rule to project member and verify it
         # work as policy is system and project scoped.
         self.policy.set_rules({
-            rule_migrate: base_policy.PROJECT_MEMBER,
-            rule_migrate_host: base_policy.PROJECT_MEMBER,
-            rule_live_migrate: base_policy.PROJECT_MEMBER,
-            rule_live_migrate_host: base_policy.PROJECT_MEMBER},
+            rule_migrate: "rule:project_member_api",
+            rule_migrate_host: "rule:project_member_api",
+            rule_live_migrate: "rule:project_member_api",
+            rule_live_migrate_host: "rule:project_member_api"},
             overwrite=False)
 
         # Check that project member role as override above
diff --git a/nova/tests/unit/policies/test_server_diagnostics.py b/nova/tests/unit/policies/test_server_diagnostics.py
index 6f99858be85f..318f32ac1868 100644
--- a/nova/tests/unit/policies/test_server_diagnostics.py
+++ b/nova/tests/unit/policies/test_server_diagnostics.py
@@ -17,7 +17,6 @@ from oslo_utils import timeutils
 from nova.api.openstack.compute import server_diagnostics
 from nova.compute import vm_states
 from nova import objects
-from nova.policies import base as base_policy
 from nova.policies import server_diagnostics as policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@@ -127,7 +126,7 @@ class ServerDiagnosticsOverridePolicyTest(
         # NOTE(gmann): override the rule to project member and verify it
         # work as policy is project scoped.
         self.policy.set_rules({
-            rule: base_policy.PROJECT_MEMBER},
+            rule: "rule:project_member_api"},
             overwrite=False)
 
         # Check that project member role as override above
diff --git a/nova/tests/unit/policies/test_server_migrations.py b/nova/tests/unit/policies/test_server_migrations.py
index dd9083fe30a7..31b35ea6494b 100644
--- a/nova/tests/unit/policies/test_server_migrations.py
+++ b/nova/tests/unit/policies/test_server_migrations.py
@@ -249,11 +249,11 @@ class ServerMigrationsOverridePolicyTest(
         # NOTE(gmann): override the rule to project member and verify it
         # work as policy is project scoped.
         self.policy.set_rules({
-            rule_show: base_policy.PROJECT_READER,
-            rule_list: base_policy.PROJECT_READER,
-            rule_list_host: base_policy.PROJECT_READER,
-            rule_force: base_policy.PROJECT_READER,
-            rule_delete: base_policy.PROJECT_READER},
+            rule_show: "rule:project_reader_api",
+            rule_list: "rule:project_reader_api",
+            rule_list_host: "rule:project_reader_api",
+            rule_force: "rule:project_reader_api",
+            rule_delete: "rule:project_reader_api"},
             overwrite=False)
 
         # Check that project reader as override above