Change os-server-tags default policy

os-server-tags operations should be limited only to admin or owner
of the server. This patch changes the default policy to
from ANY to ADMIN_OR_OWNER.

This patch doesn't address the actual policy check at the API level.
This would be fixed as part of a wider effort. For now, we maintain
consistency with other similar APIs.

Change-Id: If5f48fad9f040dd08060b4a86858a3b223550956
Closes-Bug: #1581203

nova/policies/server_tags.py

@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
 server_tags_policies = [
     base.create_rule_default(
         POLICY_ROOT % 'delete_all',
-        base.RULE_ANY,
+        base.RULE_ADMIN_OR_OWNER,
         "Delete all the server tags",
         [
             {
@@ -34,7 +34,7 @@ server_tags_policies = [
         ]),
     base.create_rule_default(
         POLICY_ROOT % 'index',
-        base.RULE_ANY,
+        base.RULE_ADMIN_OR_OWNER,
         "List all tags for given server",
         [
             {
@@ -44,7 +44,7 @@ server_tags_policies = [
         ]),
     base.create_rule_default(
         POLICY_ROOT % 'update_all',
-        base.RULE_ANY,
+        base.RULE_ADMIN_OR_OWNER,
         "Replace all tags on specified server with the new set of tags.",
         [
             {
@@ -55,7 +55,7 @@ server_tags_policies = [
         ]),
     base.create_rule_default(
         POLICY_ROOT % 'delete',
-        base.RULE_ANY,
+        base.RULE_ADMIN_OR_OWNER,
         "Delete a single tag from the specified server",
         [
             {
@@ -66,7 +66,7 @@ server_tags_policies = [
     ),
     base.create_rule_default(
         POLICY_ROOT % 'update',
-        base.RULE_ANY,
+        base.RULE_ADMIN_OR_OWNER,
         "Add a single tag to the server if server has no specified tag",
         [
             {
@@ -77,7 +77,7 @@ server_tags_policies = [
     ),
     base.create_rule_default(
         POLICY_ROOT % 'show',
-        base.RULE_ANY,
+        base.RULE_ADMIN_OR_OWNER,
         "Check tag existence on the server.",
         [
             {
@@ -88,7 +88,7 @@ server_tags_policies = [
     ),
     policy.RuleDefault(
         name=POLICY_ROOT % 'discoverable',
-        check_str=base.RULE_ANY),
+        check_str=base.RULE_ANY)
 ]
 
 

nova/tests/unit/test_policy.py

@@ -419,6 +419,12 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-server-password",
 "os_compute_api:os-server-usage",
 "os_compute_api:os-server-groups",
+"os_compute_api:os-server-tags:delete",
+"os_compute_api:os-server-tags:delete_all",
+"os_compute_api:os-server-tags:index",
+"os_compute_api:os-server-tags:show",
+"os_compute_api:os-server-tags:update",
+"os_compute_api:os-server-tags:update_all",
 "os_compute_api:os-server-groups:index",
 "os_compute_api:os-server-groups:show",
 "os_compute_api:os-server-groups:create",
@@ -503,13 +509,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-server-password:discoverable",
 "os_compute_api:os-server-usage:discoverable",
 "os_compute_api:os-server-groups:discoverable",
-"os_compute_api:os-server-tags:delete",
-"os_compute_api:os-server-tags:delete_all",
 "os_compute_api:os-server-tags:discoverable",
-"os_compute_api:os-server-tags:index",
-"os_compute_api:os-server-tags:show",
-"os_compute_api:os-server-tags:update",
-"os_compute_api:os-server-tags:update_all",
 "os_compute_api:os-services:discoverable",
 "os_compute_api:server-metadata:discoverable",
 "os_compute_api:server-migrations:discoverable",

releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml

@@ -0,0 +1,5 @@
+upgrade:
+  - The default policy on os-server-tags has been changed from
+    ``RULE_ANY`` (allow all) to ``RULE_ADMIN_OR_OWNER``. This is because server
+    tags should only be manipulated on servers owned by the user or admin. This
+    doesn't have any affect on how the API works.