Merge "policy: Replaces 'authorize' in nova-api (part 5)"

nova/api/openstack/compute/security_group_default_rules.py

@@ -20,10 +20,10 @@ from nova.api.openstack import wsgi
 from nova import exception
 from nova.i18n import _
 from nova.network.security_group import openstack_driver
+from nova.policies import security_group_default_rules as sgdr_policies
 
 
 ALIAS = "os-security-group-default-rules"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@@ -35,7 +35,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
     @extensions.expected_errors((400, 409, 501))
     def create(self, req, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         sg_rule = self._from_body(body, 'security_group_default_rule')
 
@@ -72,7 +72,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
     @extensions.expected_errors((400, 404, 501))
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         try:
             id = self.security_group_api.validate_id(id)
@@ -91,7 +91,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
     @wsgi.response(204)
     def delete(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         try:
             id = self.security_group_api.validate_id(id)
@@ -107,7 +107,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
     @extensions.expected_errors((404, 501))
     def index(self, req):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         ret = {'security_group_default_rules': []}
         try:

nova/api/openstack/compute/security_groups.py

@@ -28,19 +28,18 @@ from nova import compute
 from nova import exception
 from nova.i18n import _
 from nova.network.security_group import openstack_driver
+from nova.policies import security_groups as sg_policies
 from nova.virt import netutils
 
 
 LOG = logging.getLogger(__name__)
 ALIAS = 'os-security-groups'
 ATTRIBUTE_NAME = 'security_groups'
-authorize = extensions.os_compute_authorizer(ALIAS)
-softauth = extensions.os_compute_soft_authorizer(ALIAS)
 
 
 def _authorize_context(req):
     context = req.environ['nova.context']
-    authorize(context)
+    context.can(sg_policies.BASE_POLICY_NAME)
     return context
 
 
@@ -386,7 +385,7 @@ class SecurityGroupActionController(wsgi.Controller):
     @wsgi.action('addSecurityGroup')
     def _addSecurityGroup(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sg_policies.BASE_POLICY_NAME)
 
         group_name = self._parse(body, 'addSecurityGroup')
         try:
@@ -406,7 +405,7 @@ class SecurityGroupActionController(wsgi.Controller):
     @wsgi.action('removeSecurityGroup')
     def _removeSecurityGroup(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sg_policies.BASE_POLICY_NAME)
 
         group_name = self._parse(body, 'removeSecurityGroup')
 
@@ -436,7 +435,7 @@ class SecurityGroupsOutputController(wsgi.Controller):
             return
         key = "security_groups"
         context = req.environ['nova.context']
-        if not softauth(context):
+        if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False):
             return
 
         if not openstack_driver.is_neutron_security_groups():

nova/api/openstack/compute/server_diagnostics.py

@@ -18,10 +18,10 @@ from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
 from nova import exception
+from nova.policies import server_diagnostics as sd_policies
 
 
 ALIAS = "os-server-diagnostics"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerDiagnosticsController(wsgi.Controller):
@@ -31,7 +31,7 @@ class ServerDiagnosticsController(wsgi.Controller):
     @extensions.expected_errors((404, 409, 501))
     def index(self, req, server_id):
         context = req.environ["nova.context"]
-        authorize(context)
+        context.can(sd_policies.BASE_POLICY_NAME)
 
         instance = common.get_instance(self.compute_api, context, server_id)
 

nova/api/openstack/compute/server_external_events.py

@@ -24,11 +24,11 @@ from nova import exception
 from nova.i18n import _
 from nova.i18n import _LI
 from nova import objects
+from nova.policies import server_external_events as see_policies
 
 
 LOG = logging.getLogger(__name__)
 ALIAS = 'os-server-external-events'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerExternalEventsController(wsgi.Controller):
@@ -43,7 +43,7 @@ class ServerExternalEventsController(wsgi.Controller):
     def create(self, req, body):
         """Creates a new instance event."""
         context = req.environ['nova.context']
-        authorize(context, action='create')
+        context.can(see_policies.POLICY_ROOT % 'create')
 
         response_events = []
         accepted_events = []

nova/api/openstack/compute/server_groups.py

@@ -29,18 +29,16 @@ import nova.exception
 from nova.i18n import _
 from nova.i18n import _LE
 from nova import objects
+from nova.policies import server_groups as sg_policies
 
 LOG = logging.getLogger(__name__)
 
 ALIAS = "os-server-groups"
 
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
-
 def _authorize_context(req):
     context = req.environ['nova.context']
-    authorize(context)
+    context.can(sg_policies.BASE_POLICY_NAME)
     return context
 
 

nova/api/openstack/compute/server_metadata.py

@@ -24,9 +24,9 @@ from nova.api import validation
 from nova import compute
 from nova import exception
 from nova.i18n import _
+from nova.policies import server_metadata as sm_policies
 
 ALIAS = 'server-metadata'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerMetadataController(wsgi.Controller):
@@ -55,7 +55,7 @@ class ServerMetadataController(wsgi.Controller):
     def index(self, req, server_id):
         """Returns the list of metadata for a given instance."""
         context = req.environ['nova.context']
-        authorize(context, action='index')
+        context.can(sm_policies.POLICY_ROOT % 'index')
         return {'metadata': self._get_metadata(context, server_id)}
 
     @extensions.expected_errors((400, 403, 404, 409))
@@ -65,7 +65,7 @@ class ServerMetadataController(wsgi.Controller):
     def create(self, req, server_id, body):
         metadata = body['metadata']
         context = req.environ['nova.context']
-        authorize(context, action='create')
+        context.can(sm_policies.POLICY_ROOT % 'create')
         new_metadata = self._update_instance_metadata(context,
                                                       server_id,
                                                       metadata,
@@ -77,7 +77,7 @@ class ServerMetadataController(wsgi.Controller):
     @validation.schema(server_metadata.update)
     def update(self, req, server_id, id, body):
         context = req.environ['nova.context']
-        authorize(context, action='update')
+        context.can(sm_policies.POLICY_ROOT % 'update')
         meta_item = body['meta']
         if id not in meta_item:
             expl = _('Request body and URI mismatch')
@@ -94,7 +94,7 @@ class ServerMetadataController(wsgi.Controller):
     @validation.schema(server_metadata.update_all)
     def update_all(self, req, server_id, body):
         context = req.environ['nova.context']
-        authorize(context, action='update_all')
+        context.can(sm_policies.POLICY_ROOT % 'update_all')
         metadata = body['metadata']
         new_metadata = self._update_instance_metadata(context,
                                                       server_id,
@@ -129,7 +129,7 @@ class ServerMetadataController(wsgi.Controller):
     def show(self, req, server_id, id):
         """Return a single metadata item."""
         context = req.environ['nova.context']
-        authorize(context, action='show')
+        context.can(sm_policies.POLICY_ROOT % 'show')
         data = self._get_metadata(context, server_id)
 
         try:
@@ -143,7 +143,7 @@ class ServerMetadataController(wsgi.Controller):
     def delete(self, req, server_id, id):
         """Deletes an existing metadata."""
         context = req.environ['nova.context']
-        authorize(context, action='delete')
+        context.can(sm_policies.POLICY_ROOT % 'delete')
         metadata = self._get_metadata(context, server_id)
 
         if id not in metadata:

nova/api/openstack/compute/server_migrations.py

@@ -23,10 +23,10 @@ from nova.api import validation
 from nova import compute
 from nova import exception
 from nova.i18n import _
+from nova.policies import servers_migrations as sm_policies
 
 
 ALIAS = 'servers:migrations'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def output(migration):
@@ -69,7 +69,7 @@ class ServerMigrationsController(wsgi.Controller):
     @validation.schema(server_migrations.force_complete)
     def _force_complete(self, req, id, server_id, body):
         context = req.environ['nova.context']
-        authorize(context, action='force_complete')
+        context.can(sm_policies.POLICY_ROOT % 'force_complete')
 
         instance = common.get_instance(self.compute_api, context, server_id)
         try:
@@ -91,7 +91,7 @@ class ServerMigrationsController(wsgi.Controller):
     def index(self, req, server_id):
         """Return all migrations of an instance in progress."""
         context = req.environ['nova.context']
-        authorize(context, action="index")
+        context.can(sm_policies.POLICY_ROOT % 'index')
 
         # NOTE(Shaohe Feng) just check the instance is available. To keep
         # consistency with other API, check it before get migrations.
@@ -107,7 +107,7 @@ class ServerMigrationsController(wsgi.Controller):
     def show(self, req, server_id, id):
         """Return the migration of an instance in progress by id."""
         context = req.environ['nova.context']
-        authorize(context, action="show")
+        context.can(sm_policies.POLICY_ROOT % 'show')
 
         # NOTE(Shaohe Feng) just check the instance is available. To keep
         # consistency with other API, check it before get migrations.
@@ -141,7 +141,7 @@ class ServerMigrationsController(wsgi.Controller):
     def delete(self, req, server_id, id):
         """Abort an in progress migration of an instance."""
         context = req.environ['nova.context']
-        authorize(context, action="delete")
+        context.can(sm_policies.POLICY_ROOT % 'delete')
 
         instance = common.get_instance(self.compute_api, context, server_id)
         try:

nova/api/openstack/compute/server_password.py

@@ -20,10 +20,10 @@ from nova.api.openstack import common
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
+from nova.policies import server_password as sp_policies
 
 
 ALIAS = 'os-server-password'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerPasswordController(wsgi.Controller):
@@ -34,7 +34,7 @@ class ServerPasswordController(wsgi.Controller):
     @extensions.expected_errors(404)
     def index(self, req, server_id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sp_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, server_id)
 
         passw = password.extract_password(instance)
@@ -50,7 +50,7 @@ class ServerPasswordController(wsgi.Controller):
         """
 
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sp_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, server_id)
         meta = password.convert_password(context, None)
         instance.system_metadata.update(meta)

nova/api/openstack/compute/server_tags.py

@@ -25,10 +25,10 @@ from nova.compute import vm_states
 from nova import exception
 from nova.i18n import _
 from nova import objects
+from nova.policies import server_tags as st_policies
 
 
 ALIAS = "os-server-tags"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def _get_tags_names(tags):
@@ -58,7 +58,7 @@ class ServerTagsController(wsgi.Controller):
     @extensions.expected_errors(404)
     def show(self, req, server_id, id):
         context = req.environ["nova.context"]
-        authorize(context, action='show')
+        context.can(st_policies.POLICY_ROOT % 'show')
 
         try:
             exists = objects.Tag.exists(context, server_id, id)
@@ -74,7 +74,7 @@ class ServerTagsController(wsgi.Controller):
     @extensions.expected_errors(404)
     def index(self, req, server_id):
         context = req.environ["nova.context"]
-        authorize(context, action='index')
+        context.can(st_policies.POLICY_ROOT % 'index')
 
         try:
             tags = objects.TagList.get_by_resource_id(context, server_id)
@@ -88,7 +88,7 @@ class ServerTagsController(wsgi.Controller):
     @validation.schema(schema.update)
     def update(self, req, server_id, id, body):
         context = req.environ["nova.context"]
-        authorize(context, action='update')
+        context.can(st_policies.POLICY_ROOT % 'update')
         self._check_instance_in_valid_state(context, server_id, 'update tag')
 
         try:
@@ -136,7 +136,7 @@ class ServerTagsController(wsgi.Controller):
     @validation.schema(schema.update_all)
     def update_all(self, req, server_id, body):
         context = req.environ["nova.context"]
-        authorize(context, action='update_all')
+        context.can(st_policies.POLICY_ROOT % 'update_all')
         self._check_instance_in_valid_state(context, server_id, 'update tags')
 
         invalid_tags = []
@@ -178,7 +178,7 @@ class ServerTagsController(wsgi.Controller):
     @extensions.expected_errors((404, 409))
     def delete(self, req, server_id, id):
         context = req.environ["nova.context"]
-        authorize(context, action='delete')
+        context.can(st_policies.POLICY_ROOT % 'delete')
         self._check_instance_in_valid_state(context, server_id, 'delete tag')
 
         try:
@@ -193,7 +193,7 @@ class ServerTagsController(wsgi.Controller):
     @extensions.expected_errors((404, 409))
     def delete_all(self, req, server_id):
         context = req.environ["nova.context"]
-        authorize(context, action='delete_all')
+        context.can(st_policies.POLICY_ROOT % 'delete_all')
         self._check_instance_in_valid_state(context, server_id, 'delete tags')
 
         try:

nova/api/openstack/compute/server_usage.py

@@ -14,10 +14,10 @@
 
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
+from nova.policies import server_usage as su_policies
 
 
 ALIAS = "os-server-usage"
-authorize = extensions.os_compute_soft_authorizer(ALIAS)
 
 resp_topic = "OS-SRV-USG"
 
@@ -37,7 +37,7 @@ class ServerUsageController(wsgi.Controller):
     @wsgi.extends
     def show(self, req, resp_obj, id):
         context = req.environ['nova.context']
-        if authorize(context):
+        if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
             server = resp_obj.obj['server']
             db_instance = req.get_db_instance(server['id'])
             # server['id'] is guaranteed to be in the cache due to
@@ -47,7 +47,7 @@ class ServerUsageController(wsgi.Controller):
     @wsgi.extends
     def detail(self, req, resp_obj):
         context = req.environ['nova.context']
-        if authorize(context):
+        if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
             servers = list(resp_obj.obj['servers'])
             for server in servers:
                 db_instance = req.get_db_instance(server['id'])

nova/api/openstack/compute/services.py

@@ -22,11 +22,11 @@ from nova.api import validation
 from nova import compute
 from nova import exception
 from nova.i18n import _
+from nova.policies import services as services_policies
 from nova import servicegroup
 from nova import utils
 
 ALIAS = "os-services"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServiceController(wsgi.Controller):
@@ -42,7 +42,7 @@ class ServiceController(wsgi.Controller):
         api_services = ('nova-osapi_compute', 'nova-ec2', 'nova-metadata')
 
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(services_policies.BASE_POLICY_NAME)
 
         _services = [
            s
@@ -155,7 +155,7 @@ class ServiceController(wsgi.Controller):
     def _perform_action(self, req, id, body, actions):
         """Calculate action dictionary dependent on provided fields"""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(services_policies.BASE_POLICY_NAME)
 
         try:
             action = actions[id]
@@ -170,7 +170,7 @@ class ServiceController(wsgi.Controller):
     def delete(self, req, id):
         """Deletes the specified service."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(services_policies.BASE_POLICY_NAME)
 
         try:
             utils.validate_integer(id, 'id')

nova/api/openstack/compute/shelve.py

@@ -21,10 +21,10 @@ from nova.api.openstack import extensions as exts
 from nova.api.openstack import wsgi
 from nova import compute
 from nova import exception
+from nova.policies import shelve as shelve_policies
 
 
 ALIAS = 'os-shelve'
-authorize = exts.os_compute_authorizer(ALIAS)
 
 
 class ShelveController(wsgi.Controller):
@@ -38,7 +38,7 @@ class ShelveController(wsgi.Controller):
     def _shelve(self, req, id, body):
         """Move an instance into shelved mode."""
         context = req.environ["nova.context"]
-        authorize(context, action='shelve')
+        context.can(shelve_policies.POLICY_ROOT % 'shelve')
 
         instance = common.get_instance(self.compute_api, context, id)
         try:
@@ -57,7 +57,7 @@ class ShelveController(wsgi.Controller):
     def _shelve_offload(self, req, id, body):
         """Force removal of a shelved instance from the compute node."""
         context = req.environ["nova.context"]
-        authorize(context, action='shelve_offload')
+        context.can(shelve_policies.POLICY_ROOT % 'shelve_offload')
 
         instance = common.get_instance(self.compute_api, context, id)
         try:
@@ -77,7 +77,7 @@ class ShelveController(wsgi.Controller):
     def _unshelve(self, req, id, body):
         """Restore an instance from shelved mode."""
         context = req.environ["nova.context"]
-        authorize(context, action='unshelve')
+        context.can(shelve_policies.POLICY_ROOT % 'unshelve')
         instance = common.get_instance(self.compute_api, context, id)
         try:
             self.compute_api.unshelve(context, instance)

nova/api/openstack/compute/simple_tenant_usage.py

@@ -26,9 +26,9 @@ from nova.api.openstack import wsgi
 from nova import exception
 from nova.i18n import _
 from nova import objects
+from nova.policies import simple_tenant_usage as stu_policies
 
 ALIAS = "os-simple-tenant-usage"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def parse_strtime(dstr, fmt):
@@ -220,7 +220,7 @@ class SimpleTenantUsageController(wsgi.Controller):
         """Retrieve tenant_usage for all tenants."""
         context = req.environ['nova.context']
 
-        authorize(context, action='list')
+        context.can(stu_policies.POLICY_ROOT % 'list')
 
         try:
             (period_start, period_stop, detailed) = self._get_datetime_range(
@@ -243,7 +243,8 @@ class SimpleTenantUsageController(wsgi.Controller):
         tenant_id = id
         context = req.environ['nova.context']
 
-        authorize(context, action='show', target={'project_id': tenant_id})
+        context.can(stu_policies.POLICY_ROOT % 'show',
+                    {'project_id': tenant_id})
 
         try:
             (period_start, period_stop, ignore) = self._get_datetime_range(

nova/api/openstack/compute/suspend_server.py

@@ -19,13 +19,11 @@ from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
 from nova import exception
+from nova.policies import suspend_server as ss_policies
 
 ALIAS = "os-suspend-server"
 
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
-
 class SuspendServerController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(SuspendServerController, self).__init__(*args, **kwargs)
@@ -37,7 +35,7 @@ class SuspendServerController(wsgi.Controller):
     def _suspend(self, req, id, body):
         """Permit admins to suspend the server."""
         context = req.environ['nova.context']
-        authorize(context, action='suspend')
+        context.can(ss_policies.POLICY_ROOT % 'suspend')
         try:
             server = common.get_instance(self.compute_api, context, id)
             self.compute_api.suspend(context, server)
@@ -55,7 +53,7 @@ class SuspendServerController(wsgi.Controller):
     def _resume(self, req, id, body):
         """Permit admins to resume the server from suspend."""
         context = req.environ['nova.context']
-        authorize(context, action='resume')
+        context.can(ss_policies.POLICY_ROOT % 'resume')
         try:
             server = common.get_instance(self.compute_api, context, id)
             self.compute_api.resume(context, server)

nova/api/openstack/compute/tenant_networks.py

@@ -30,6 +30,7 @@ from nova import exception
 from nova.i18n import _
 from nova.i18n import _LE
 import nova.network
+from nova.policies import tenant_networks as tn_policies
 from nova import quota
 
 
@@ -39,7 +40,6 @@ ALIAS = 'os-tenant-networks'
 
 QUOTAS = quota.QUOTAS
 LOG = logging.getLogger(__name__)
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def network_dict(network):
@@ -76,7 +76,7 @@ class TenantNetworkController(wsgi.Controller):
     @extensions.expected_errors(())
     def index(self, req):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(tn_policies.BASE_POLICY_NAME)
         networks = list(self.network_api.get_all(context))
         if not self._default_networks:
             self._refresh_default_networks()
@@ -86,7 +86,7 @@ class TenantNetworkController(wsgi.Controller):
     @extensions.expected_errors(404)
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(tn_policies.BASE_POLICY_NAME)
         try:
             network = self.network_api.get(context, id)
         except exception.NetworkNotFound:
@@ -98,7 +98,7 @@ class TenantNetworkController(wsgi.Controller):
     @wsgi.response(202)
     def delete(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(tn_policies.BASE_POLICY_NAME)
         reservation = None
         try:
             if CONF.enable_network_quota:
@@ -133,7 +133,7 @@ class TenantNetworkController(wsgi.Controller):
     @validation.schema(schema.create)
     def create(self, req, body):
         context = req.environ["nova.context"]
-        authorize(context)
+        context.can(tn_policies.BASE_POLICY_NAME)
 
         network = body["network"]
         keys = ["cidr", "cidr_v6", "ipam", "vlan_start", "network_size",

nova/api/openstack/compute/used_limits.py

@@ -16,6 +16,7 @@ import six
 
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
+from nova.policies import used_limits as ul_policies
 from nova import quota
 
 
@@ -23,7 +24,6 @@ QUOTAS = quota.QUOTAS
 
 
 ALIAS = "os-used-limits"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class UsedLimitsController(wsgi.Controller):
@@ -65,7 +65,7 @@ class UsedLimitsController(wsgi.Controller):
                 'project_id': tenant_id,
                 'user_id': context.user_id
                 }
-            authorize(context, target=target)
+            context.can(ul_policies.BASE_POLICY_NAME, target)
             return tenant_id
         return context.project_id
 

nova/api/openstack/compute/virtual_interfaces.py

@@ -24,10 +24,10 @@ from nova.api.openstack import wsgi
 from nova import compute
 from nova.i18n import _
 from nova import network
+from nova.policies import virtual_interfaces as vif_policies
 
 
 ALIAS = 'os-virtual-interfaces'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def _translate_vif_summary_view(req, vif):
@@ -56,7 +56,7 @@ class ServerVirtualInterfaceController(wsgi.Controller):
     def _items(self, req, server_id, entity_maker):
         """Returns a list of VIFs, transformed through entity_maker."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vif_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, server_id)
 
         try:

nova/api/openstack/compute/volumes.py

@@ -29,11 +29,11 @@ from nova.compute import vm_states
 from nova import exception
 from nova.i18n import _
 from nova import objects
+from nova.policies import volumes as vol_policies
+from nova.policies import volumes_attachments as va_policies
 from nova import volume
 
 ALIAS = "os-volumes"
-authorize = extensions.os_compute_authorizer(ALIAS)
-authorize_attach = extensions.os_compute_authorizer('os-volumes-attachments')
 
 
 def _translate_volume_detail_view(context, vol):
@@ -104,7 +104,7 @@ class VolumeController(wsgi.Controller):
     def show(self, req, id):
         """Return data about the given volume."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         try:
             vol = self.volume_api.get(context, id)
@@ -118,7 +118,7 @@ class VolumeController(wsgi.Controller):
     def delete(self, req, id):
         """Delete a volume."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         try:
             self.volume_api.delete(context, id)
@@ -138,7 +138,7 @@ class VolumeController(wsgi.Controller):
     def _items(self, req, entity_maker):
         """Returns a list of volumes, transformed through entity_maker."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         volumes = self.volume_api.get_all(context)
         limited_list = common.limited(volumes, req)
@@ -150,7 +150,7 @@ class VolumeController(wsgi.Controller):
     def create(self, req, body):
         """Creates a new volume."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         vol = body['volume']
 
@@ -256,7 +256,7 @@ class VolumeAttachmentController(wsgi.Controller):
     def index(self, req, server_id):
         """Returns the list of volume attachments for a given instance."""
         context = req.environ['nova.context']
-        authorize_attach(context, action='index')
+        context.can(va_policies.POLICY_ROOT % 'index')
         return self._items(req, server_id,
                            entity_maker=_translate_attachment_summary_view)
 
@@ -264,8 +264,8 @@ class VolumeAttachmentController(wsgi.Controller):
     def show(self, req, server_id, id):
         """Return data about the given volume attachment."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
-        authorize_attach(context, action='show')
+        context.can(va_policies.POLICY_ROOT % 'show')
 
         volume_id = id
         instance = common.get_instance(self.compute_api, context, server_id)
@@ -298,8 +298,8 @@ class VolumeAttachmentController(wsgi.Controller):
     def create(self, req, server_id, body):
         """Attach a volume to an instance."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
-        authorize_attach(context, action='create')
+        context.can(va_policies.POLICY_ROOT % 'create')
 
         volume_id = body['volumeAttachment']['volumeId']
         device = body['volumeAttachment'].get('device')
@@ -350,8 +350,8 @@ class VolumeAttachmentController(wsgi.Controller):
     @validation.schema(volumes_schema.update_volume_attachment)
     def update(self, req, server_id, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
-        authorize_attach(context, action='update')
+        context.can(va_policies.POLICY_ROOT % 'update')
 
         old_volume_id = id
         try:
@@ -398,8 +398,8 @@ class VolumeAttachmentController(wsgi.Controller):
     def delete(self, req, server_id, id):
         """Detach a volume from an instance."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
-        authorize_attach(context, action='delete')
+        context.can(va_policies.POLICY_ROOT % 'delete')
 
         volume_id = id
 
@@ -455,7 +455,7 @@ class VolumeAttachmentController(wsgi.Controller):
     def _items(self, req, server_id, entity_maker):
         """Returns a list of attachments, transformed through entity_maker."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         instance = common.get_instance(self.compute_api, context, server_id)
 
@@ -508,7 +508,7 @@ class SnapshotController(wsgi.Controller):
     def show(self, req, id):
         """Return data about the given snapshot."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         try:
             vol = self.volume_api.get_snapshot(context, id)
@@ -522,7 +522,7 @@ class SnapshotController(wsgi.Controller):
     def delete(self, req, id):
         """Delete a snapshot."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         try:
             self.volume_api.delete_snapshot(context, id)
@@ -542,7 +542,7 @@ class SnapshotController(wsgi.Controller):
     def _items(self, req, entity_maker):
         """Returns a list of snapshots, transformed through entity_maker."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         snapshots = self.volume_api.get_all_snapshots(context)
         limited_list = common.limited(snapshots, req)
@@ -554,7 +554,7 @@ class SnapshotController(wsgi.Controller):
     def create(self, req, body):
         """Creates a new snapshot."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(vol_policies.BASE_POLICY_NAME)
 
         snapshot = body['snapshot']
         volume_id = snapshot['volume_id']

nova/tests/unit/api/openstack/compute/test_security_groups.py

@@ -1398,11 +1398,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
             'server': {'id': '0'},
             'servers': [{'id': '0'}, {'id': '2'}]})
 
-    @mock.patch.object(secgroups_v21, "softauth")
+    @mock.patch('nova.policy.authorize')
-    def test_show_policy_softauth_is_called(self, mock_softauth):
+    def test_show_policy_softauth_is_called(self, mock_authorize):
-        mock_softauth.return_value = False
+        mock_authorize.return_value = False
         self.controller.show(self.req, self.fake_res, FAKE_UUID1)
-        self.assertTrue(mock_softauth.called)
+        self.assertTrue(mock_authorize.called)
 
     @mock.patch.object(nova.network.security_group.openstack_driver,
         "is_neutron_security_groups")
@@ -1410,11 +1410,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
         self.controller.show(self.req, self.fake_res, FAKE_UUID1)
         self.assertFalse(is_neutron_security_groups.called)
 
-    @mock.patch.object(secgroups_v21, "softauth")
+    @mock.patch('nova.policy.authorize')
-    def test_create_policy_softauth_is_called(self, mock_softauth):
+    def test_create_policy_softauth_is_called(self, mock_authorize):
-        mock_softauth.return_value = False
+        mock_authorize.return_value = False
         self.controller.show(self.req, self.fake_res, {})
-        self.assertTrue(mock_softauth.called)
+        self.assertTrue(mock_authorize.called)
 
     @mock.patch.object(nova.network.security_group.openstack_driver,
         "is_neutron_security_groups")
@@ -1422,11 +1422,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
         self.controller.create(self.req, self.fake_res, {})
         self.assertFalse(is_neutron_security_groups.called)
 
-    @mock.patch.object(secgroups_v21, "softauth")
+    @mock.patch('nova.policy.authorize')
-    def test_detail_policy_softauth_is_called(self, mock_softauth):
+    def test_detail_policy_softauth_is_called(self, mock_authorize):
-        mock_softauth.return_value = False
+        mock_authorize.return_value = False
         self.controller.detail(self.req, self.fake_res)
-        self.assertTrue(mock_softauth.called)
+        self.assertTrue(mock_authorize.called)
 
     @mock.patch.object(nova.network.security_group.openstack_driver,
         "is_neutron_security_groups")

nova/tests/unit/api/openstack/compute/test_used_limits.py

@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import mock
 import six
 
 from nova.api.openstack.compute import used_limits \
@@ -20,6 +21,7 @@ from nova.api.openstack.compute import used_limits \
 from nova.api.openstack import wsgi
 import nova.context
 from nova import exception
+from nova.policies import used_limits as ul_policies
 from nova import quota
 from nova import test
 
@@ -44,8 +46,9 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase):
     def _set_up_controller(self):
         self.ext_mgr = None
         self.controller = used_limits_v21.UsedLimitsController()
-        self.mox.StubOutWithMock(used_limits_v21, 'authorize')
+        patcher = self.mock_can = mock.patch('nova.context.RequestContext.can')
-        self.authorize = used_limits_v21.authorize
+        self.mock_can = patcher.start()
+        self.addCleanup(patcher.stop)
 
     def _do_test_used_limits(self, reserved):
         fake_req = FakeRequest(self.fake_context, reserved=reserved)
@@ -120,13 +123,14 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase):
             self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
             self.ext_mgr.is_loaded('os-server-group-quotas').AndReturn(
                 self.include_server_group_quotas)
-        self.authorize(self.fake_context, target=target)
         self.mox.StubOutWithMock(quota.QUOTAS, 'get_project_quotas')
         quota.QUOTAS.get_project_quotas(self.fake_context, '%s' % tenant_id,
                                         usages=True).AndReturn({})
         self.mox.ReplayAll()
         res = wsgi.ResponseObject(obj)
         self.controller.index(fake_req, res)
+        self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
+                                              target)
 
     def test_admin_can_fetch_used_limits_for_own_project(self):
         project_id = "123456"
@@ -172,13 +176,14 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase):
         fake_req.GET = {'tenant_id': tenant_id}
         if self.ext_mgr is not None:
             self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
-        self.authorize(self.fake_context, target=target). \
+        self.mock_can.side_effect = exception.PolicyNotAuthorized(
-            AndRaise(exception.PolicyNotAuthorized(
+            action=self.used_limit_extension)
-            action=self.used_limit_extension))
         self.mox.ReplayAll()
         res = wsgi.ResponseObject(obj)
         self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
                           fake_req, res)
+        self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
+                                              target)
 
     def test_used_limits_fetched_for_context_project_id(self):
         project_id = "123456"