oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
- https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
- http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
There are two type of scope:
1. 'system': policy with 'system' scope means user with
'system-scoped' token have permission to access otherwise not.
This scope type can be applied to API policies which need
access permission at system level.
2. 'project': policy with 'project' scope means user with
'project-scoped' token have permission to access.
This scope type can be applied to API policies which need
access permission at project level.
Any policy need permission for both scope 'system' and 'project'
can be added with both scope, for example: scope_type['system', 'project']
This commit introduce scope_type for os-services API policies.
All the os-service policy are scopped as 'system' because
nova services operation should not be given access to
project scopped token.
Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ia6ad47e4e411c8c6f50c98807ee97f99297d97b8
0012785501