From f72fa9a739ce3f9e789ffa8547c3a9447a735c3b Mon Sep 17 00:00:00 2001 From: ghanshyam Date: Sun, 29 Jul 2018 11:44:10 +0000 Subject: [PATCH] Remove the deprecated API extensions policies API extensions policies have been deprecated in 17.0.0 release[1]. This commit removes them. [1] Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b Change-Id: Ib3faf85c78bc2cdee13175560dc1458ddb6cb7a8 --- nova/api/openstack/compute/config_drive.py | 9 +-- .../compute/extended_availability_zone.py | 17 +++--- nova/api/openstack/compute/extended_status.py | 27 ++++----- .../api/openstack/compute/extended_volumes.py | 25 ++++---- nova/api/openstack/compute/image_size.py | 27 ++++----- nova/api/openstack/compute/keypairs.py | 8 +-- nova/api/openstack/compute/security_groups.py | 3 - nova/api/openstack/compute/server_usage.py | 27 ++++----- nova/api/openstack/compute/views/flavors.py | 48 ++------------- nova/policies/__init__.py | 14 ----- nova/policies/config_drive.py | 51 ---------------- nova/policies/extended_availability_zone.py | 51 ---------------- nova/policies/extended_status.py | 58 ------------------ nova/policies/extended_volumes.py | 52 ---------------- nova/policies/flavor_access.py | 35 +---------- nova/policies/flavor_rxtx.py | 60 ------------------- nova/policies/image_size.py | 51 ---------------- nova/policies/keypairs.py | 25 -------- nova/policies/security_groups.py | 26 +------- nova/policies/server_usage.py | 58 ------------------ .../compute/test_extended_volumes.py | 26 -------- .../api/openstack/compute/test_flavors.py | 48 --------------- .../openstack/compute/test_security_groups.py | 51 ---------------- nova/tests/unit/test_policy.py | 8 --- ...-extensions-policies-311846b2eb839a22.yaml | 26 ++++++++ 25 files changed, 90 insertions(+), 741 deletions(-) delete mode 100644 nova/policies/config_drive.py delete mode 100644 nova/policies/extended_availability_zone.py delete mode 100644 nova/policies/extended_status.py delete mode 100644 nova/policies/extended_volumes.py delete mode 100644 nova/policies/flavor_rxtx.py delete mode 100644 nova/policies/image_size.py delete mode 100644 nova/policies/server_usage.py create mode 100644 releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml diff --git a/nova/api/openstack/compute/config_drive.py b/nova/api/openstack/compute/config_drive.py index 6987499a0d32..fe1b85995ebb 100644 --- a/nova/api/openstack/compute/config_drive.py +++ b/nova/api/openstack/compute/config_drive.py @@ -16,7 +16,6 @@ """Config Drive extension.""" from nova.api.openstack import wsgi -from nova.policies import config_drive as cd_policies ATTRIBUTE_NAME = "config_drive" @@ -37,14 +36,10 @@ class ConfigDriveController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): - context = req.environ['nova.context'] - if context.can(cd_policies.BASE_POLICY_NAME, fatal=False): - self._show(req, resp_obj) + self._show(req, resp_obj) @wsgi.extends def detail(self, req, resp_obj): - context = req.environ['nova.context'] - if 'servers' in resp_obj.obj and context.can( - cd_policies.BASE_POLICY_NAME, fatal=False): + if 'servers' in resp_obj.obj: servers = resp_obj.obj['servers'] self._add_config_drive(req, servers) diff --git a/nova/api/openstack/compute/extended_availability_zone.py b/nova/api/openstack/compute/extended_availability_zone.py index ac562c588a01..0d63169ea33f 100644 --- a/nova/api/openstack/compute/extended_availability_zone.py +++ b/nova/api/openstack/compute/extended_availability_zone.py @@ -17,7 +17,6 @@ from nova.api.openstack import wsgi from nova import availability_zones as avail_zone -from nova.policies import extended_availability_zone as eaz_policies PREFIX = "OS-EXT-AZ" @@ -34,16 +33,14 @@ class ExtendedAZController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): context = req.environ['nova.context'] - if context.can(eaz_policies.BASE_POLICY_NAME, fatal=False): - server = resp_obj.obj['server'] - db_instance = req.get_db_instance(server['id']) - self._extend_server(context, server, db_instance) + server = resp_obj.obj['server'] + db_instance = req.get_db_instance(server['id']) + self._extend_server(context, server, db_instance) @wsgi.extends def detail(self, req, resp_obj): context = req.environ['nova.context'] - if context.can(eaz_policies.BASE_POLICY_NAME, fatal=False): - servers = list(resp_obj.obj['servers']) - for server in servers: - db_instance = req.get_db_instance(server['id']) - self._extend_server(context, server, db_instance) + servers = list(resp_obj.obj['servers']) + for server in servers: + db_instance = req.get_db_instance(server['id']) + self._extend_server(context, server, db_instance) diff --git a/nova/api/openstack/compute/extended_status.py b/nova/api/openstack/compute/extended_status.py index e1bb52b2890f..5f0faa0ad16b 100644 --- a/nova/api/openstack/compute/extended_status.py +++ b/nova/api/openstack/compute/extended_status.py @@ -15,7 +15,6 @@ """The Extended Status Admin API extension.""" from nova.api.openstack import wsgi -from nova.policies import extended_status as es_policies class ExtendedStatusController(wsgi.Controller): @@ -32,21 +31,17 @@ class ExtendedStatusController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): - context = req.environ['nova.context'] - if context.can(es_policies.BASE_POLICY_NAME, fatal=False): - server = resp_obj.obj['server'] - db_instance = req.get_db_instance(server['id']) - # server['id'] is guaranteed to be in the cache due to - # the core API adding it in its 'show' method. - self._extend_server(server, db_instance) + server = resp_obj.obj['server'] + db_instance = req.get_db_instance(server['id']) + # server['id'] is guaranteed to be in the cache due to + # the core API adding it in its 'show' method. + self._extend_server(server, db_instance) @wsgi.extends def detail(self, req, resp_obj): - context = req.environ['nova.context'] - if context.can(es_policies.BASE_POLICY_NAME, fatal=False): - servers = list(resp_obj.obj['servers']) - for server in servers: - db_instance = req.get_db_instance(server['id']) - # server['id'] is guaranteed to be in the cache due to - # the core API adding it in its 'detail' method. - self._extend_server(server, db_instance) + servers = list(resp_obj.obj['servers']) + for server in servers: + db_instance = req.get_db_instance(server['id']) + # server['id'] is guaranteed to be in the cache due to + # the core API adding it in its 'detail' method. + self._extend_server(server, db_instance) diff --git a/nova/api/openstack/compute/extended_volumes.py b/nova/api/openstack/compute/extended_volumes.py index a88a45875355..e203f1350fd0 100644 --- a/nova/api/openstack/compute/extended_volumes.py +++ b/nova/api/openstack/compute/extended_volumes.py @@ -19,13 +19,12 @@ from nova.api.openstack import api_version_request from nova.api.openstack import wsgi from nova import context from nova import objects -from nova.policies import extended_volumes as ev_policies LOG = logging.getLogger(__name__) class ExtendedVolumesController(wsgi.Controller): - def _extend_server(self, context, server, req, bdms): + def _extend_server(self, server, req, bdms): volumes_attached = [] for bdm in bdms: if bdm.get('volume_id'): @@ -43,12 +42,11 @@ class ExtendedVolumesController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): context = req.environ['nova.context'] - if context.can(ev_policies.BASE_POLICY_NAME, fatal=False): - server = resp_obj.obj['server'] - bdms = objects.BlockDeviceMappingList.bdms_by_instance_uuid( - context, [server['id']]) - instance_bdms = self._get_instance_bdms(bdms, server) - self._extend_server(context, server, req, instance_bdms) + server = resp_obj.obj['server'] + bdms = objects.BlockDeviceMappingList.bdms_by_instance_uuid( + context, [server['id']]) + instance_bdms = self._get_instance_bdms(bdms, server) + self._extend_server(server, req, instance_bdms) @staticmethod def _get_instance_bdms_in_multiple_cells(ctxt, servers): @@ -82,12 +80,11 @@ class ExtendedVolumesController(wsgi.Controller): @wsgi.extends def detail(self, req, resp_obj): context = req.environ['nova.context'] - if context.can(ev_policies.BASE_POLICY_NAME, fatal=False): - servers = list(resp_obj.obj['servers']) - bdms = self._get_instance_bdms_in_multiple_cells(context, servers) - for server in servers: - instance_bdms = self._get_instance_bdms(bdms, server) - self._extend_server(context, server, req, instance_bdms) + servers = list(resp_obj.obj['servers']) + bdms = self._get_instance_bdms_in_multiple_cells(context, servers) + for server in servers: + instance_bdms = self._get_instance_bdms(bdms, server) + self._extend_server(server, req, instance_bdms) def _get_instance_bdms(self, bdms, server): # server['id'] is guaranteed to be in the cache due to diff --git a/nova/api/openstack/compute/image_size.py b/nova/api/openstack/compute/image_size.py index 8ed4ae6135ff..c6569c690601 100644 --- a/nova/api/openstack/compute/image_size.py +++ b/nova/api/openstack/compute/image_size.py @@ -14,7 +14,6 @@ # under the License. from nova.api.openstack import wsgi -from nova.policies import image_size as is_policies class ImageSizeController(wsgi.Controller): @@ -28,21 +27,17 @@ class ImageSizeController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): - context = req.environ["nova.context"] - if context.can(is_policies.BASE_POLICY_NAME, fatal=False): - image_resp = resp_obj.obj['image'] - # image guaranteed to be in the cache due to the core API adding - # it in its 'show' method - image_cached = req.get_db_item('images', image_resp['id']) - self._extend_image(image_resp, image_cached) + image_resp = resp_obj.obj['image'] + # image guaranteed to be in the cache due to the core API adding + # it in its 'show' method + image_cached = req.get_db_item('images', image_resp['id']) + self._extend_image(image_resp, image_cached) @wsgi.extends def detail(self, req, resp_obj): - context = req.environ['nova.context'] - if context.can(is_policies.BASE_POLICY_NAME, fatal=False): - images_resp = list(resp_obj.obj['images']) - # images guaranteed to be in the cache due to the core API adding - # it in its 'detail' method - for image in images_resp: - image_cached = req.get_db_item('images', image['id']) - self._extend_image(image, image_cached) + images_resp = list(resp_obj.obj['images']) + # images guaranteed to be in the cache due to the core API adding + # it in its 'detail' method + for image in images_resp: + image_cached = req.get_db_item('images', image['id']) + self._extend_image(image, image_cached) diff --git a/nova/api/openstack/compute/keypairs.py b/nova/api/openstack/compute/keypairs.py index b3c7bbb111e3..673c65bcaea7 100644 --- a/nova/api/openstack/compute/keypairs.py +++ b/nova/api/openstack/compute/keypairs.py @@ -306,14 +306,10 @@ class Controller(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): - context = req.environ['nova.context'] - if context.can(kp_policies.BASE_POLICY_NAME, fatal=False): - self._show(req, resp_obj) + self._show(req, resp_obj) @wsgi.extends def detail(self, req, resp_obj): - context = req.environ['nova.context'] - if 'servers' in resp_obj.obj and context.can( - kp_policies.BASE_POLICY_NAME, fatal=False): + if 'servers' in resp_obj.obj: servers = resp_obj.obj['servers'] self._add_key_name(req, servers) diff --git a/nova/api/openstack/compute/security_groups.py b/nova/api/openstack/compute/security_groups.py index 9801f46dcd77..12c3588887a6 100644 --- a/nova/api/openstack/compute/security_groups.py +++ b/nova/api/openstack/compute/security_groups.py @@ -490,9 +490,6 @@ class SecurityGroupsOutputController(wsgi.Controller): return key = "security_groups" context = req.environ['nova.context'] - if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False): - return - if not openstack_driver.is_neutron_security_groups(): for server in servers: instance = req.get_db_instance(server['id']) diff --git a/nova/api/openstack/compute/server_usage.py b/nova/api/openstack/compute/server_usage.py index 5448f8bc23f0..d97591ad5f23 100644 --- a/nova/api/openstack/compute/server_usage.py +++ b/nova/api/openstack/compute/server_usage.py @@ -13,7 +13,6 @@ # under the License. from nova.api.openstack import wsgi -from nova.policies import server_usage as su_policies resp_topic = "OS-SRV-USG" @@ -33,21 +32,17 @@ class ServerUsageController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): - context = req.environ['nova.context'] - if context.can(su_policies.BASE_POLICY_NAME, fatal=False): - server = resp_obj.obj['server'] - db_instance = req.get_db_instance(server['id']) - # server['id'] is guaranteed to be in the cache due to - # the core API adding it in its 'show' method. - self._extend_server(server, db_instance) + server = resp_obj.obj['server'] + db_instance = req.get_db_instance(server['id']) + # server['id'] is guaranteed to be in the cache due to + # the core API adding it in its 'show' method. + self._extend_server(server, db_instance) @wsgi.extends def detail(self, req, resp_obj): - context = req.environ['nova.context'] - if context.can(su_policies.BASE_POLICY_NAME, fatal=False): - servers = list(resp_obj.obj['servers']) - for server in servers: - db_instance = req.get_db_instance(server['id']) - # server['id'] is guaranteed to be in the cache due to - # the core API adding it in its 'detail' method. - self._extend_server(server, db_instance) + servers = list(resp_obj.obj['servers']) + for server in servers: + db_instance = req.get_db_instance(server['id']) + # server['id'] is guaranteed to be in the cache due to + # the core API adding it in its 'detail' method. + self._extend_server(server, db_instance) diff --git a/nova/api/openstack/compute/views/flavors.py b/nova/api/openstack/compute/views/flavors.py index a7b2a045ddce..2c7e925f525d 100644 --- a/nova/api/openstack/compute/views/flavors.py +++ b/nova/api/openstack/compute/views/flavors.py @@ -15,8 +15,6 @@ from nova.api.openstack import api_version_request from nova.api.openstack import common -from nova.policies import flavor_access as fa_policies -from nova.policies import flavor_rxtx as fr_policies FLAVOR_DESCRIPTION_MICROVERSION = '2.55' FLAVOR_EXTRA_SPECS_MICROVERSION = '2.61' @@ -27,12 +25,10 @@ class ViewBuilder(common.ViewBuilder): _collection_name = "flavors" def basic(self, request, flavor, include_description=False, - update_is_public=None, update_rxtx_factor=None, include_extra_specs=False): - # include_extra_specs & update_is_public & update_rxtx_factor are - # placeholder param which are not used in this method as basic() method - # is used by index() (GET /flavors) which does not return those keys in - # response. + # include_extra_specs is placeholder param which is not used in + # this method as basic() method is used by index() (GET /flavors) + # which does not return those keys in response. flavor_dict = { "flavor": { "id": flavor["flavorid"], @@ -49,7 +45,6 @@ class ViewBuilder(common.ViewBuilder): return flavor_dict def show(self, request, flavor, include_description=False, - update_is_public=None, update_rxtx_factor=None, include_extra_specs=False): flavor_dict = { "flavor": { @@ -61,6 +56,8 @@ class ViewBuilder(common.ViewBuilder): "OS-FLV-EXT-DATA:ephemeral": flavor["ephemeral_gb"], "OS-FLV-DISABLED:disabled": flavor["disabled"], "vcpus": flavor["vcpus"], + "os-flavor-access:is_public": flavor['is_public'], + "rxtx_factor": flavor['rxtx_factor'] or "", "links": self._get_links(request, flavor["flavorid"], self._collection_name), @@ -73,26 +70,6 @@ class ViewBuilder(common.ViewBuilder): if include_extra_specs: flavor_dict['flavor']['extra_specs'] = flavor.extra_specs - # TODO(gmann): 'update_is_public' & 'update_rxtx_factor' are policies - # checks. Once os-flavor-access & os-flavor-rxtx policies are - # removed, 'os-flavor-access:is_public' and 'rxtx_factor' need to be - # added in response without any check. - - # Evaluate the policies when using show method directly. - context = request.environ['nova.context'] - if update_is_public is None: - update_is_public = context.can(fa_policies.BASE_POLICY_NAME, - fatal=False) - if update_rxtx_factor is None: - update_rxtx_factor = context.can(fr_policies.BASE_POLICY_NAME, - fatal=False) - if update_is_public: - flavor_dict['flavor'].update({ - "os-flavor-access:is_public": flavor['is_public']}) - if update_rxtx_factor: - flavor_dict['flavor'].update( - {"rxtx_factor": flavor['rxtx_factor'] or ""}) - return flavor_dict def index(self, request, flavors): @@ -108,20 +85,12 @@ class ViewBuilder(common.ViewBuilder): coll_name = self._collection_name + '/detail' include_description = api_version_request.is_supported( request, FLAVOR_DESCRIPTION_MICROVERSION) - context = request.environ['nova.context'] - update_is_public = context.can(fa_policies.BASE_POLICY_NAME, - fatal=False) - update_rxtx_factor = context.can(fr_policies.BASE_POLICY_NAME, - fatal=False) return self._list_view(self.show, request, flavors, coll_name, include_description=include_description, - update_is_public=update_is_public, - update_rxtx_factor=update_rxtx_factor, include_extra_specs=include_extra_specs) def _list_view(self, func, request, flavors, coll_name, - include_description=False, update_is_public=None, - update_rxtx_factor=None, include_extra_specs=False): + include_description=False, include_extra_specs=False): """Provide a view for a list of flavors. :param func: Function used to format the flavor data @@ -131,17 +100,12 @@ class ViewBuilder(common.ViewBuilder): for a pagination query :param include_description: If the flavor.description should be included in the response dict. - :param update_is_public: If the flavor.is_public field should be - included in the response dict. - :param update_rxtx_factor: If the flavor.rxtx_factor field should be - included in the response dict. :param include_extra_specs: If the flavor.extra_specs should be included in the response dict. :returns: Flavor reply data in dictionary format """ flavor_list = [func(request, flavor, include_description, - update_is_public, update_rxtx_factor, include_extra_specs)["flavor"] for flavor in flavors] flavors_links = self._get_collection_links(request, diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py index bd7b04dbcc8c..5f45824e989b 100644 --- a/nova/policies/__init__.py +++ b/nova/policies/__init__.py @@ -24,29 +24,23 @@ from nova.policies import baremetal_nodes from nova.policies import base from nova.policies import cells from nova.policies import cells_scheduler -from nova.policies import config_drive from nova.policies import console_auth_tokens from nova.policies import console_output from nova.policies import consoles from nova.policies import create_backup from nova.policies import deferred_delete from nova.policies import evacuate -from nova.policies import extended_availability_zone from nova.policies import extended_server_attributes -from nova.policies import extended_status -from nova.policies import extended_volumes from nova.policies import extensions from nova.policies import flavor_access from nova.policies import flavor_extra_specs from nova.policies import flavor_manage -from nova.policies import flavor_rxtx from nova.policies import flavors from nova.policies import floating_ip_pools from nova.policies import floating_ips from nova.policies import hide_server_addresses from nova.policies import hosts from nova.policies import hypervisors -from nova.policies import image_size from nova.policies import instance_actions from nova.policies import instance_usage_audit_log from nova.policies import ips @@ -71,7 +65,6 @@ from nova.policies import server_groups from nova.policies import server_metadata from nova.policies import server_password from nova.policies import server_tags -from nova.policies import server_usage from nova.policies import servers from nova.policies import servers_migrations from nova.policies import services @@ -97,29 +90,23 @@ def list_rules(): baremetal_nodes.list_rules(), cells.list_rules(), cells_scheduler.list_rules(), - config_drive.list_rules(), console_auth_tokens.list_rules(), console_output.list_rules(), consoles.list_rules(), create_backup.list_rules(), deferred_delete.list_rules(), evacuate.list_rules(), - extended_availability_zone.list_rules(), extended_server_attributes.list_rules(), - extended_status.list_rules(), - extended_volumes.list_rules(), extensions.list_rules(), flavor_access.list_rules(), flavor_extra_specs.list_rules(), flavor_manage.list_rules(), - flavor_rxtx.list_rules(), flavors.list_rules(), floating_ip_pools.list_rules(), floating_ips.list_rules(), hide_server_addresses.list_rules(), hosts.list_rules(), hypervisors.list_rules(), - image_size.list_rules(), instance_actions.list_rules(), instance_usage_audit_log.list_rules(), ips.list_rules(), @@ -144,7 +131,6 @@ def list_rules(): server_metadata.list_rules(), server_password.list_rules(), server_tags.list_rules(), - server_usage.list_rules(), servers.list_rules(), servers_migrations.list_rules(), services.list_rules(), diff --git a/nova/policies/config_drive.py b/nova/policies/config_drive.py deleted file mode 100644 index 6bce5df8b347..000000000000 --- a/nova/policies/config_drive.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-config-drive' - - -config_drive_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - "Add 'config_drive' attribute in the server response", - [ - { - 'method': 'GET', - 'path': '/servers/{id}' - }, - { - 'method': 'GET', - 'path': '/servers/detail' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-config-drive" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return config_drive_policies diff --git a/nova/policies/extended_availability_zone.py b/nova/policies/extended_availability_zone.py deleted file mode 100644 index 974b909175a8..000000000000 --- a/nova/policies/extended_availability_zone.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-extended-availability-zone' - - -extended_availability_zone_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - "Add `OS-EXT-AZ:availability_zone` into the server response", - [ - { - 'method': 'GET', - 'path': '/servers/{id}' - }, - { - 'method': 'GET', - 'path': '/servers/detail' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-extended-availability-zone"' - ' policy which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return extended_availability_zone_policies diff --git a/nova/policies/extended_status.py b/nova/policies/extended_status.py deleted file mode 100644 index c65a4a2afb6a..000000000000 --- a/nova/policies/extended_status.py +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-extended-status' - - -extended_status_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - """Return extended status in the response of server. - -This policy will control the visibility for a set of attributes: - -- ``OS-EXT-STS:task_state`` -- ``OS-EXT-STS:vm_state`` -- ``OS-EXT-STS:power_state`` -""", - [ - { - 'method': 'GET', - 'path': '/servers/{id}' - }, - { - 'method': 'GET', - 'path': '/servers/detail' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-extended-status" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return extended_status_policies diff --git a/nova/policies/extended_volumes.py b/nova/policies/extended_volumes.py deleted file mode 100644 index bf0202bfc824..000000000000 --- a/nova/policies/extended_volumes.py +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-extended-volumes' - - -extended_volumes_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - "Return 'os-extended-volumes:volumes_attached' in the response of " - "server", - [ - { - 'method': 'GET', - 'path': '/servers/{id}' - }, - { - 'method': 'GET', - 'path': '/servers/detail' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-extended-volumes" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return extended_volumes_policies diff --git a/nova/policies/flavor_access.py b/nova/policies/flavor_access.py index 035812268400..3506292f0a82 100644 --- a/nova/policies/flavor_access.py +++ b/nova/policies/flavor_access.py @@ -49,9 +49,7 @@ flavor_access_policies = [ base.RULE_ADMIN_OR_OWNER, """List flavor access information -Adds the os-flavor-access:is_public key into several flavor APIs. - -It also allows access to the full list of tenants that have access +Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API. """, [ @@ -59,36 +57,7 @@ to a flavor via an os-flavor-access API. 'method': 'GET', 'path': '/flavors/{flavor_id}/os-flavor-access' }, - { - 'method': 'GET', - 'path': '/flavors/detail' - }, - { - 'method': 'GET', - 'path': '/flavors/{flavor_id}' - }, - { - 'method': 'POST', - 'path': '/flavors' - }, - { - 'method': 'PUT', - 'path': '/flavors/{flavor_id}' - }, - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-flavor-access" policy ' - 'for POST, PUT, GET /flavors which was added for extensions is ' - 'not needed any more. NOTE: This policy is deprecated only for ' - 'POST /flavors, PUT /flavors, GET /flavors/{flavor_id} & ' - 'GET /flavors/detail. This policy for other API operations is ' - 'still valid and not deprecated' - - ), - deprecated_since='17.0.0'), + ]), ] diff --git a/nova/policies/flavor_rxtx.py b/nova/policies/flavor_rxtx.py deleted file mode 100644 index 86e399b739bf..000000000000 --- a/nova/policies/flavor_rxtx.py +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-flavor-rxtx' - - -flavor_rxtx_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - "Add the rxtx_factor key into some Flavor APIs", - [ - { - 'method': 'GET', - 'path': '/flavors/detail' - }, - { - 'method': 'GET', - 'path': '/flavors/{flavor_id}' - }, - { - 'method': 'POST', - 'path': '/flavors' - }, - { - 'method': 'PUT', - 'path': '/flavors/{flavor_id}' - }, - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-flavor-rxtx" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return flavor_rxtx_policies diff --git a/nova/policies/image_size.py b/nova/policies/image_size.py deleted file mode 100644 index 1cb08a9e1ef1..000000000000 --- a/nova/policies/image_size.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:image-size' - - -image_size_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - """Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.""", - [ - { - 'method': 'GET', - 'path': '/images/{id}' - }, - { - 'method': 'GET', - 'path': '/images/detail' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:image-size" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return image_size_policies diff --git a/nova/policies/keypairs.py b/nova/policies/keypairs.py index 6dd1ea6617fe..5d228edb0679 100644 --- a/nova/policies/keypairs.py +++ b/nova/policies/keypairs.py @@ -15,10 +15,7 @@ from oslo_policy import policy -from nova.policies import base - -BASE_POLICY_NAME = 'os_compute_api:os-keypairs' POLICY_ROOT = 'os_compute_api:os-keypairs:%s' @@ -63,28 +60,6 @@ keypairs_policies = [ 'method': 'GET' } ]), - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - "Return 'key_name' in the response of server.", - [ - { - 'path': '/servers/{id}', - 'method': 'GET', - }, - { - 'path': '/servers/detail', - 'method': 'GET' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-keypairs" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), ] diff --git a/nova/policies/security_groups.py b/nova/policies/security_groups.py index b104f1b92c1b..c159ae6bb1de 100644 --- a/nova/policies/security_groups.py +++ b/nova/policies/security_groups.py @@ -34,8 +34,7 @@ APIs are deprecated. APIs which are related to server resource are not deprecated: Lists Security Groups for a server. Add Security Group to a server -and remove security group from a server. Expand security_groups in -server representation""", +and remove security group from a server.""", [ { 'method': 'GET', @@ -69,31 +68,8 @@ server representation""", 'method': 'POST', 'path': '/servers/{server_id}/action (removeSecurityGroup)' }, - { - 'method': 'POST', - 'path': '/servers' - }, - { - 'method': 'GET', - 'path': '/servers/{server_id}' - }, - { - 'method': 'GET', - 'path': '/servers/detail' - } ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-security-groups" policy ' - 'for POST, GET /servers which was added for extensions is not ' - 'needed any more. NOTE: This policy is deprecated only for ' - 'POST /servers, GET /servers/{server_id} & GET /servers/detail. ' - 'This policy for other API operations is still valid and not ' - 'deprecated' ), - deprecated_since='17.0.0'), ] diff --git a/nova/policies/server_usage.py b/nova/policies/server_usage.py deleted file mode 100644 index a270b19d8baa..000000000000 --- a/nova/policies/server_usage.py +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2016 Cloudbase Solutions Srl -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_policy import policy - -from nova.policies import base - - -BASE_POLICY_NAME = 'os_compute_api:os-server-usage' - - -server_usage_policies = [ - policy.DocumentedRuleDefault( - BASE_POLICY_NAME, - base.RULE_ADMIN_OR_OWNER, - """Add 'OS-SRV-USG:launched_at' & 'OS-SRV-USG:terminated_at' attribute -in the server response. - -This check is performed only after the check -'os_compute_api:servers:show' for GET /servers/{id} and -'os_compute_api:servers:detail' for GET /servers/detail passes""", - - - [ - { - 'method': 'GET', - 'path': '/servers/{id}' - }, - { - 'method': 'GET', - 'path': '/servers/detail' - } - ], - deprecated_for_removal=True, - deprecated_reason=( - 'Nova API extension concept has been removed in Pike. Those ' - 'extensions have their own policies enforcement. As there is ' - 'no extensions now, "os_compute_api:os-server-usage" policy ' - 'which was added for extensions is not needed any more' - ), - deprecated_since='17.0.0'), -] - - -def list_rules(): - return server_usage_policies diff --git a/nova/tests/unit/api/openstack/compute/test_extended_volumes.py b/nova/tests/unit/api/openstack/compute/test_extended_volumes.py index 8fb8e771e793..f1d79d4bc143 100644 --- a/nova/tests/unit/api/openstack/compute/test_extended_volumes.py +++ b/nova/tests/unit/api/openstack/compute/test_extended_volumes.py @@ -219,29 +219,3 @@ class ExtendedVolumesTestV23(ExtendedVolumesTestV21): ], ] wsgi_api_version = '2.3' - - -class ExtendedVolumesEnforcementV21(test.NoDBTestCase): - - def setUp(self): - super(ExtendedVolumesEnforcementV21, self).setUp() - self.controller = extended_volumes_v21.ExtendedVolumesController() - self.req = fakes.HTTPRequest.blank('') - - @mock.patch.object(extended_volumes_v21.ExtendedVolumesController, - '_extend_server') - def test_extend_show_policy_failed(self, mock_extend): - rule_name = 'os_compute_api:os-extended-volumes' - self.policy.set_rules({rule_name: "project:non_fake"}) - # Pass ResponseObj as None, the code shouldn't touch the None. - self.controller.show(self.req, None, fakes.FAKE_UUID) - self.assertFalse(mock_extend.called) - - @mock.patch.object(extended_volumes_v21.ExtendedVolumesController, - '_extend_server') - def test_extend_detail_policy_failed(self, mock_extend): - rule_name = 'os_compute_api:os-extended-volumes' - self.policy.set_rules({rule_name: "project:non_fake"}) - # Pass ResponseObj as None, the code shouldn't touch the None. - self.controller.detail(self.req, None) - self.assertFalse(mock_extend.called) diff --git a/nova/tests/unit/api/openstack/compute/test_flavors.py b/nova/tests/unit/api/openstack/compute/test_flavors.py index 1abc89e8e00d..b95b0304376b 100644 --- a/nova/tests/unit/api/openstack/compute/test_flavors.py +++ b/nova/tests/unit/api/openstack/compute/test_flavors.py @@ -779,54 +779,6 @@ class FlavorsTestV2_61(FlavorsTestV2_55): expect_extra_specs = True -class FlavorsPolicyEnforcementV21(test.NoDBTestCase): - - def setUp(self): - super(FlavorsPolicyEnforcementV21, self).setUp() - self.flavor_controller = flavors_v21.FlavorsController() - fakes.stub_out_flavor_get_by_flavor_id(self) - fakes.stub_out_flavor_get_all(self) - self.req = fakes.HTTPRequest.blank('') - - def test_show_flavor_access_policy_failed(self): - rule_name = "os_compute_api:os-flavor-access" - self.policy.set_rules({rule_name: "project:non_fake"}) - resp = self.flavor_controller.show(self.req, '1') - self.assertNotIn('os-flavor-access:is_public', resp['flavor']) - - def test_detail_flavor_access_policy_failed(self): - rule_name = "os_compute_api:os-flavor-access" - self.policy.set_rules({rule_name: "project:non_fake"}) - resp = self.flavor_controller.detail(self.req) - self.assertNotIn('os-flavor-access:is_public', resp['flavors'][0]) - - def test_show_flavor_rxtx_policy_failed(self): - rule_name = "os_compute_api:os-flavor-rxtx" - self.policy.set_rules({rule_name: "project:non_fake"}) - resp = self.flavor_controller.show(self.req, '1') - self.assertNotIn('rxtx_factor', resp['flavor']) - - def test_detail_flavor_rxtx_policy_failed(self): - rule_name = "os_compute_api:os-flavor-rxtx" - self.policy.set_rules({rule_name: "project:non_fake"}) - resp = self.flavor_controller.detail(self.req) - self.assertNotIn('rxtx_factor', resp['flavors'][0]) - - def test_create_flavor_extended_policy_failed(self): - rules = {"os_compute_api:os-flavor-rxtx": "project:non_fake", - "os_compute_api:os-flavor-access": "project:non_fake"} - self.policy.set_rules(rules) - resp = self.flavor_controller.detail(self.req) - self.assertNotIn('rxtx_factor', resp['flavors'][0]) - - def test_update_flavor_extended_policy_failed(self): - rules = {"os_compute_api:os-flavor-rxtx": "project:non_fake", - "os_compute_api:os-flavor-access": "project:non_fake"} - self.policy.set_rules(rules) - resp = self.flavor_controller.detail(self.req) - self.assertNotIn('rxtx_factor', resp['flavors'][0]) - - class DisabledFlavorsWithRealDBTestV21(test.TestCase): """Tests that disabled flavors should not be shown nor listed.""" Controller = flavors_v21.FlavorsController diff --git a/nova/tests/unit/api/openstack/compute/test_security_groups.py b/nova/tests/unit/api/openstack/compute/test_security_groups.py index a3331b4dd41e..436d0a686140 100644 --- a/nova/tests/unit/api/openstack/compute/test_security_groups.py +++ b/nova/tests/unit/api/openstack/compute/test_security_groups.py @@ -21,7 +21,6 @@ import webob from nova.api.openstack.compute import security_groups as \ secgroups_v21 -from nova.api.openstack import wsgi from nova import compute from nova.compute import power_state from nova import context as context_maker @@ -1537,56 +1536,6 @@ class SecurityGroupsOutputTestV21(test.TestCase): self.assertEqual(res.status_int, 404) -class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase): - - def setUp(self): - super(SecurityGroupsOutputPolicyEnforcementV21, self).setUp() - self.controller = secgroups_v21.SecurityGroupsOutputController() - self.req = fakes.HTTPRequest.blank('') - self.rule_name = "os_compute_api:os-security-groups" - self.rule = {self.rule_name: "project:non_fake"} - self.policy.set_rules(self.rule) - self.fake_res = wsgi.ResponseObject({ - 'server': {'id': '0'}, - 'servers': [{'id': '0'}, {'id': '2'}]}) - - @mock.patch('nova.policy.authorize') - def test_show_policy_softauth_is_called(self, mock_authorize): - mock_authorize.return_value = False - self.controller.show(self.req, self.fake_res, FAKE_UUID1) - self.assertTrue(mock_authorize.called) - - @mock.patch.object(nova.network.security_group.openstack_driver, - "is_neutron_security_groups") - def test_show_policy_failed(self, is_neutron_security_groups): - self.controller.show(self.req, self.fake_res, FAKE_UUID1) - self.assertFalse(is_neutron_security_groups.called) - - @mock.patch('nova.policy.authorize') - def test_create_policy_softauth_is_called(self, mock_authorize): - mock_authorize.return_value = False - self.controller.show(self.req, self.fake_res, {}) - self.assertTrue(mock_authorize.called) - - @mock.patch.object(nova.network.security_group.openstack_driver, - "is_neutron_security_groups") - def test_create_policy_failed(self, is_neutron_security_groups): - self.controller.create(self.req, self.fake_res, {}) - self.assertFalse(is_neutron_security_groups.called) - - @mock.patch('nova.policy.authorize') - def test_detail_policy_softauth_is_called(self, mock_authorize): - mock_authorize.return_value = False - self.controller.detail(self.req, self.fake_res) - self.assertTrue(mock_authorize.called) - - @mock.patch.object(nova.network.security_group.openstack_driver, - "is_neutron_security_groups") - def test_detail_policy_failed(self, is_neutron_security_groups): - self.controller.detail(self.req, self.fake_res) - self.assertFalse(is_neutron_security_groups.called) - - class PolicyEnforcementV21(test.NoDBTestCase): def setUp(self): diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index a5afc02bbaee..0e4fc19e14aa 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -368,7 +368,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-suspend-server:resume", "os_compute_api:os-tenant-networks", "os_compute_api:extensions", -"os_compute_api:os-config-drive", "os_compute_api:servers:confirm_resize", "os_compute_api:servers:create", "os_compute_api:servers:create:attach_network", @@ -398,26 +397,19 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-console-output", "os_compute_api:os-remote-consoles", "os_compute_api:os-deferred-delete", -"os_compute_api:os-extended-status", -"os_compute_api:os-extended-availability-zone", -"os_compute_api:os-extended-volumes", "os_compute_api:os-flavor-access", -"os_compute_api:os-flavor-rxtx", "os_compute_api:flavors", "os_compute_api:os-flavor-extra-specs:index", "os_compute_api:os-flavor-extra-specs:show", "os_compute_api:os-floating-ip-pools", "os_compute_api:os-floating-ips", -"os_compute_api:image-size", "os_compute_api:os-instance-actions", -"os_compute_api:os-keypairs", "os_compute_api:limits", "os_compute_api:os-multinic", "os_compute_api:os-networks:view", "os_compute_api:os-rescue", "os_compute_api:os-security-groups", "os_compute_api:os-server-password", -"os_compute_api:os-server-usage", "os_compute_api:os-server-groups", "os_compute_api:os-server-tags:delete", "os_compute_api:os-server-tags:delete_all", diff --git a/releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml b/releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml new file mode 100644 index 000000000000..70957752a0da --- /dev/null +++ b/releasenotes/notes/remove-deprecated-api-extensions-policies-311846b2eb839a22.yaml @@ -0,0 +1,26 @@ +--- +upgrade: + - | + The following deprecated Policy Rules have been removed: + + - Show & List server details + + - os_compute_api:os-config-drive + - os_compute_api:os-extended-availability-zone + - os_compute_api:os-extended-status + - os_compute_api:os-extended-volumes + - os_compute_api:os-keypairs + - os_compute_api:os-server-usage + - os_compute_api:os-security-groups (only from /servers APIs) + + - Create, Update, Show & List flavor details + + - os_compute_api:os-flavor-rxtx + - os_compute_api:os-flavor-access (only from /flavors APIs) + + - Show & List image details + + - os_compute_api:image-size + + These were deprecated in the 17.0.0 release as nova removed the concept + of API extensions.