policy: Add defaults in code (part 5)

Partially-Implements: bp policy-in-code

Change-Id: I3c400b774ce7fb5a59e6523cfbc9e3ba4d4730c1

etc/nova/policy.json

@@ -14,42 +14,8 @@
     "os_compute_api:servers:discoverable": "@",
     "os_compute_api:servers:migrations:index": "rule:admin_api",
     "os_compute_api:servers:migrations:show": "rule:admin_api",
-    "os_compute_api:os-remote-consoles": "rule:admin_or_owner",
-    "os_compute_api:os-remote-consoles:discoverable": "@",
-    "os_compute_api:os-pause-server:discoverable": "@",
-    "os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
-    "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
-    "os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
-    "os_compute_api:os-pci:discoverable": "@",
-    "os_compute_api:os-pci:index": "rule:admin_api",
-    "os_compute_api:os-pci:detail": "rule:admin_api",
-    "os_compute_api:os-pci:show": "rule:admin_api",
-    "os_compute_api:os-personality:discoverable": "@",
-    "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "@",
-    "os_compute_api:os-quota-sets:discoverable": "@",
-    "os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
-    "os_compute_api:os-quota-sets:defaults": "@",
-    "os_compute_api:os-quota-sets:update": "rule:admin_api",
-    "os_compute_api:os-quota-sets:delete": "rule:admin_api",
-    "os_compute_api:os-quota-sets:detail": "rule:admin_api",
-    "os_compute_api:os-quota-class-sets:update": "rule:admin_api",
-    "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
-    "os_compute_api:os-quota-class-sets:discoverable": "@",
-    "os_compute_api:os-rescue": "rule:admin_or_owner",
-    "os_compute_api:os-rescue:discoverable": "@",
-    "os_compute_api:os-scheduler-hints:discoverable": "@",
-    "os_compute_api:os-security-group-default-rules:discoverable": "@",
-    "os_compute_api:os-security-group-default-rules": "rule:admin_api",
-    "os_compute_api:os-security-groups": "rule:admin_or_owner",
-    "os_compute_api:os-security-groups:discoverable": "@",
-    "os_compute_api:os-server-diagnostics": "rule:admin_api",
-    "os_compute_api:os-server-diagnostics:discoverable": "@",
-    "os_compute_api:os-server-password": "rule:admin_or_owner",
-    "os_compute_api:os-server-password:discoverable": "@",
     "os_compute_api:os-server-usage": "rule:admin_or_owner",
     "os_compute_api:os-server-usage:discoverable": "@",
-    "os_compute_api:os-server-groups": "rule:admin_or_owner",
-    "os_compute_api:os-server-groups:discoverable": "@",
     "os_compute_api:os-server-tags:index": "@",
     "os_compute_api:os-server-tags:show": "@",
     "os_compute_api:os-server-tags:update": "@",
@@ -58,13 +24,6 @@
     "os_compute_api:os-server-tags:delete_all": "@",
     "os_compute_api:os-services": "rule:admin_api",
     "os_compute_api:os-services:discoverable": "@",
-    "os_compute_api:server-metadata:discoverable": "@",
-    "os_compute_api:server-metadata:index": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:show": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:delete": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:create": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:update": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
     "os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
     "os_compute_api:os-shelve:shelve:discoverable": "@",
     "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
@@ -89,7 +48,5 @@
     "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
     "os_compute_api:os-volumes-attachments:discoverable": "@",
     "os_compute_api:os-used-limits": "rule:admin_api",
-    "os_compute_api:os-used-limits:discoverable": "@",
-    "os_compute_api:os-server-external-events:create": "rule:admin_api",
-    "os_compute_api:os-server-external-events:discoverable": "@"
+    "os_compute_api:os-used-limits:discoverable": "@"
 }

nova/policies/__init__.py

@@ -67,6 +67,22 @@ from nova.policies import migrations
 from nova.policies import multinic
 from nova.policies import networks
 from nova.policies import networks_associate
+from nova.policies import pause_server
+from nova.policies import pci
+from nova.policies import personality
+from nova.policies import preserve_ephemeral_rebuild
+from nova.policies import quota_class_sets
+from nova.policies import quota_sets
+from nova.policies import remote_consoles
+from nova.policies import rescue
+from nova.policies import scheduler_hints
+from nova.policies import security_group_default_rules
+from nova.policies import security_groups
+from nova.policies import server_diagnostics
+from nova.policies import server_external_events
+from nova.policies import server_groups
+from nova.policies import server_metadata
+from nova.policies import server_password
 from nova.policies import servers
 
 
@@ -126,5 +142,21 @@ def list_rules():
         multinic.list_rules(),
         networks.list_rules(),
         networks_associate.list_rules(),
+        pause_server.list_rules(),
+        pci.list_rules(),
+        personality.list_rules(),
+        preserve_ephemeral_rebuild.list_rules(),
+        quota_class_sets.list_rules(),
+        quota_sets.list_rules(),
+        remote_consoles.list_rules(),
+        rescue.list_rules(),
+        scheduler_hints.list_rules(),
+        security_group_default_rules.list_rules(),
+        security_groups.list_rules(),
+        server_diagnostics.list_rules(),
+        server_external_events.list_rules(),
+        server_groups.list_rules(),
+        server_metadata.list_rules(),
+        server_password.list_rules(),
         servers.list_rules()
     )

nova/policies/pause_server.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
+
+
+pause_server_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'unpause',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'pause',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return pause_server_policies

nova/policies/pci.py

@@ -0,0 +1,44 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-pci:%s'
+
+
+pci_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'detail',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'pci_servers',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return pci_policies

nova/policies/personality.py

@@ -0,0 +1,32 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-personality:%s'
+
+
+personality_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return personality_policies

nova/policies/preserve_ephemeral_rebuild.py

@@ -0,0 +1,32 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-preserve-ephemeral-rebuild:%s'
+
+
+preserve_ephemeral_rebuild_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return preserve_ephemeral_rebuild_policies

nova/policies/quota_class_sets.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s'
+
+
+quota_class_sets_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str='is_admin:True or quota_class:%(quota_class)s'),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return quota_class_sets_policies

nova/policies/quota_sets.py

@@ -0,0 +1,47 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-quota-sets:%s'
+
+
+quota_sets_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'defaults',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'detail',
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return quota_sets_policies

nova/policies/remote_consoles.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles'
+POLICY_ROOT = 'os_compute_api:os-remote-consoles:%s'
+
+
+remote_consoles_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return remote_consoles_policies

nova/policies/rescue.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-rescue'
+POLICY_ROOT = 'os_compute_api:os-rescue:%s'
+
+
+rescue_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return rescue_policies

nova/policies/scheduler_hints.py

@@ -0,0 +1,32 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-scheduler-hints:%s'
+
+
+scheduler_hints_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return scheduler_hints_policies

nova/policies/security_group_default_rules.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-security-group-default-rules'
+POLICY_ROOT = 'os_compute_api:os-security-group-default-rules:%s'
+
+
+security_group_default_rules_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return security_group_default_rules_policies

nova/policies/security_groups.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-security-groups'
+POLICY_ROOT = 'os_compute_api:os-security-groups:%s'
+
+
+security_groups_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return security_groups_policies

nova/policies/server_diagnostics.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics'
+POLICY_ROOT = 'os_compute_api:os-server-diagnostics:%s'
+
+
+server_diagnostics_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return server_diagnostics_policies

nova/policies/server_external_events.py

@@ -0,0 +1,35 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-server-external-events:%s'
+
+
+server_external_events_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return server_external_events_policies

nova/policies/server_groups.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-server-groups'
+POLICY_ROOT = 'os_compute_api:os-server-groups:%s'
+
+
+server_groups_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return server_groups_policies

nova/policies/server_metadata.py

@@ -0,0 +1,50 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:server-metadata:%s'
+
+
+server_metadata_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update_all',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return server_metadata_policies

nova/policies/server_password.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-server-password'
+POLICY_ROOT = 'os_compute_api:os-server-password:%s'
+
+
+server_password_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return server_password_policies