From 12c41a0a73114974b8d5d15a1cc14368d68099cc Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Tue, 1 Dec 2020 14:35:41 +0000
Subject: [PATCH] Add a system-reader check string to base.py

This commit adds a new constant to base.py that models a common persona
being implemented across OpenStack called system-reader. We can use this
persona in future patches to update the default policies for the
appropriate APIs.

Change-Id: I12074fe328db71895bbdfda3c9e7c56cc6b6f40d
---
 panko/policies/base.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/panko/policies/base.py b/panko/policies/base.py
index b80d8821..8cd641cf 100644
--- a/panko/policies/base.py
+++ b/panko/policies/base.py
@@ -15,7 +15,14 @@ from oslo_policy import policy
 ROLE_ADMIN = 'role:admin'
 UNPROTECTED = ''
 
+# This is a check string that represents a common persona for someone who has
+# read-only access to the deployment, ultimately a subset of authorization for
+# system users, or administrators.
+SYSTEM_READER = 'role:admin and system_scope:all'
+
 rules = [
+    # This can be removed once the deprecated policies in segregation.py have
+    # been removed.
     policy.RuleDefault(
         name='context_is_admin',
         check_str=ROLE_ADMIN