Remove db layer hard-code permission checks for security_group_default_rule_destroy

This patches removes db layer hard-code permission checks for
security_group_default_rule_destroy.

Partially implements bp nova-api-policy-final-part

Change-Id: Ic2307d3eb4c9ec9f05304c42f64d59dc2b7224af

nova/api/openstack/compute/contrib/security_group_default_rules.py

@@ -88,6 +88,9 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
     def delete(self, req, id):
         context = sg._authorize_context(req)
         authorize(context)
+        # NOTE(shaohe-feng): back-compatible with db layer hard-code
+        # admin permission checks.
+        nova_context.require_admin_context(context)
 
         try:
             id = self.security_group_api.validate_id(id)

nova/db/sqlalchemy/api.py

@@ -4281,7 +4281,6 @@ def security_group_default_rule_get(context, security_group_rule_default_id):
     return result
 
 
-@require_admin_context
 def security_group_default_rule_destroy(context,
                                         security_group_rule_default_id):
     session = get_session()

nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py

@@ -337,6 +337,11 @@ class TestSecurityGroupDefaultRulesV2(test.TestCase):
         self.assertRaises(exception.AdminRequired, self.controller.create,
                           self.non_admin_req, sgr_dict)
 
+    def test_delete_security_group_default_rules_with_non_admin(self):
+        self.controller = self.controller_cls()
+        self.assertRaises(exception.AdminRequired,
+                          self.controller.delete, self.non_admin_req, 1)
+
 
 class SecurityGroupDefaultRulesPolicyEnforcementV21(test.NoDBTestCase):