From fcb761376bf8f1936c82ced589a202528ad1090c Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 27 Jan 2021 16:47:19 -0600 Subject: [PATCH] Move policy deprecation to base rules All the policy rules are deprecated for base.RULE_ADMIN_API so we can add this deprecation to base rule for system scope which further can be used as new default for policies. Change-Id: Idf028b44daab0469059d036c48d7c6ca36b01d96 --- placement/policies/aggregate.py | 20 -------- placement/policies/allocation.py | 42 ---------------- placement/policies/allocation_candidate.py | 14 ------ placement/policies/base.py | 46 ++++++++++++++++-- placement/policies/inventory.py | 47 ++---------------- placement/policies/reshaper.py | 13 ----- placement/policies/resource_class.py | 47 ++---------------- placement/policies/resource_provider.py | 47 ++---------------- placement/policies/trait.py | 56 ---------------------- placement/policies/usage.py | 23 +-------- 10 files changed, 59 insertions(+), 296 deletions(-) diff --git a/placement/policies/aggregate.py b/placement/policies/aggregate.py index 65459d823..0baf9a72d 100644 --- a/placement/policies/aggregate.py +++ b/placement/policies/aggregate.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -22,19 +21,6 @@ LIST = PREFIX % 'list' UPDATE = PREFIX % 'update' BASE_PATH = '/resource_providers/{uuid}/aggregates' -DEPRECATED_REASON = """ -The aggregates API now supports a read-only role by default. -""" - -deprecated_list_aggregates = policy.DeprecatedRule( - name=LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_update_aggregates = policy.DeprecatedRule( - name=UPDATE, - check_str=base.RULE_ADMIN_API -) - rules = [ policy.DocumentedRuleDefault( LIST, @@ -47,9 +33,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_aggregates, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( UPDATE, @@ -62,9 +45,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_update_aggregates, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), ] diff --git a/placement/policies/allocation.py b/placement/policies/allocation.py index 9cb863e4c..99409a026 100644 --- a/placement/policies/allocation.py +++ b/placement/policies/allocation.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -25,32 +24,6 @@ ALLOC_MANAGE = ALLOC_PREFIX % 'manage' ALLOC_UPDATE = ALLOC_PREFIX % 'update' ALLOC_DELETE = ALLOC_PREFIX % 'delete' -DEPRECATED_REASON = """ -The allocation API now supports read-only roles by default. -""" - -deprecated_manage_allocations = policy.DeprecatedRule( - name=ALLOC_MANAGE, - check_str=base.RULE_ADMIN_API -) -deprecated_list_allocation = policy.DeprecatedRule( - name=ALLOC_LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_update_allocation = policy.DeprecatedRule( - name=ALLOC_UPDATE, - check_str=base.RULE_ADMIN_API -) -deprecated_delete_allocation = policy.DeprecatedRule( - name=ALLOC_DELETE, - check_str=base.RULE_ADMIN_API -) -deprecated_list_resource_provider_allocations = policy.DeprecatedRule( - name=RP_ALLOC_LIST, - check_str=base.RULE_ADMIN_API, -) - - rules = [ policy.DocumentedRuleDefault( name=ALLOC_MANAGE, @@ -63,9 +36,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_manage_allocations, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=ALLOC_LIST, @@ -78,9 +48,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_allocation, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=ALLOC_UPDATE, @@ -93,9 +60,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_update_allocation, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=ALLOC_DELETE, @@ -108,9 +72,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_delete_allocation, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=RP_ALLOC_LIST, @@ -123,9 +84,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_resource_provider_allocations, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), ] diff --git a/placement/policies/allocation_candidate.py b/placement/policies/allocation_candidate.py index e110ca113..155eb4a8e 100644 --- a/placement/policies/allocation_candidate.py +++ b/placement/policies/allocation_candidate.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -19,16 +18,6 @@ from placement.policies import base LIST = 'placement:allocation_candidates:list' -DEPRECATED_REASON = """ -The allocation candidate API now supports read-only roles by default. -""" - -deprecated_list_allocation_candidates = policy.DeprecatedRule( - name=LIST, - check_str=base.RULE_ADMIN_API -) - - rules = [ policy.DocumentedRuleDefault( name=LIST, @@ -41,9 +30,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_allocation_candidates, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ) ] diff --git a/placement/policies/base.py b/placement/policies/base.py index fed714c93..521bfb937 100644 --- a/placement/policies/base.py +++ b/placement/policies/base.py @@ -14,14 +14,20 @@ from oslo_log import versionutils from oslo_policy import policy RULE_ADMIN_API = 'rule:admin_api' + +DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule( + name=RULE_ADMIN_API, + check_str='role:admin' +) + # NOTE(lbragstad): We might consider converting these generic checks into # RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the # approach in oslo.policy and consume a new version. Until we have that done, # let's continue using generic check strings. -SYSTEM_ADMIN = 'role:admin and system_scope:all' -SYSTEM_READER = 'role:reader and system_scope:all' -PROJECT_READER = 'role:reader and project_id:%(project_id)s' -PROJECT_READER_OR_SYSTEM_READER = f'({SYSTEM_READER}) or ({PROJECT_READER})' +SYSTEM_ADMIN = 'rule:system_admin_api' +SYSTEM_READER = 'rule:system_reader_api' +PROJECT_READER = 'rule:project_reader_api' +PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader' _DEPRECATED_REASON = """ Placement API policies are introducing new default roles with scope_type @@ -39,6 +45,38 @@ rules = [ deprecated_reason=_DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY, ), + policy.RuleDefault( + name="system_admin_api", + check_str='role:admin and system_scope:all', + description="Default rule for System Admin APIs.", + deprecated_rule=DEPRECATED_ADMIN_POLICY, + deprecated_reason=_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, + ), + policy.RuleDefault( + name="system_reader_api", + check_str="role:reader and system_scope:all", + description="Default rule for System level read only APIs.", + deprecated_rule=DEPRECATED_ADMIN_POLICY, + deprecated_reason=_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, + ), + policy.RuleDefault( + name="project_reader_api", + check_str="role:reader and project_id:%(project_id)s", + description="Default rule for Project level read only APIs.", + deprecated_rule=DEPRECATED_ADMIN_POLICY, + deprecated_reason=_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, + ), + policy.RuleDefault( + name="system_or_project_reader", + check_str="rule:system_reader_api or rule:project_reader_api", + description="Default rule for System+Project read only APIs.", + deprecated_rule=DEPRECATED_ADMIN_POLICY, + deprecated_reason=_DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY, + ), ] diff --git a/placement/policies/inventory.py b/placement/policies/inventory.py index 163dfa45c..fbec19834 100644 --- a/placement/policies/inventory.py +++ b/placement/policies/inventory.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -25,32 +24,6 @@ UPDATE = PREFIX % 'update' DELETE = PREFIX % 'delete' BASE_PATH = '/resource_providers/{uuid}/inventories' -DEPRECATED_REASON = """ -The inventory API now supports a read-only role by default. -""" - -deprecated_list_inventories = policy.DeprecatedRule( - name=LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_create_inventory = policy.DeprecatedRule( - name=CREATE, - check_str=base.RULE_ADMIN_API -) -deprecated_show_inventory = policy.DeprecatedRule( - name=SHOW, - check_str=base.RULE_ADMIN_API -) -deprecated_update_inventory = policy.DeprecatedRule( - name=UPDATE, - check_str=base.RULE_ADMIN_API -) -deprecated_delete_inventory = policy.DeprecatedRule( - name=DELETE, - check_str=base.RULE_ADMIN_API -) - - rules = [ policy.DocumentedRuleDefault( name=LIST, @@ -63,9 +36,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_inventories, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=CREATE, check_str=base.SYSTEM_ADMIN, @@ -77,9 +48,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_create_inventory, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=SHOW, check_str=base.SYSTEM_READER, @@ -91,9 +60,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_show_inventory, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=UPDATE, check_str=base.SYSTEM_ADMIN, @@ -109,9 +76,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_update_inventory, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=DELETE, check_str=base.SYSTEM_ADMIN, @@ -127,9 +92,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_delete_inventory, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), ] diff --git a/placement/policies/reshaper.py b/placement/policies/reshaper.py index 4ba3fb0e8..57b67461d 100644 --- a/placement/policies/reshaper.py +++ b/placement/policies/reshaper.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -20,15 +19,6 @@ from placement.policies import base PREFIX = 'placement:reshaper:%s' RESHAPE = PREFIX % 'reshape' -deprecated_reshape = policy.DeprecatedRule( - name=RESHAPE, - check_str=base.RULE_ADMIN_API, -) - -DEPRECATED_REASON = """ -The reshape API now supports scoped rule by default. -""" - rules = [ policy.DocumentedRuleDefault( RESHAPE, @@ -41,9 +31,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_reshape, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY, ), ] diff --git a/placement/policies/resource_class.py b/placement/policies/resource_class.py index 328291aa8..0d0134e1e 100644 --- a/placement/policies/resource_class.py +++ b/placement/policies/resource_class.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -24,32 +23,6 @@ SHOW = PREFIX % 'show' UPDATE = PREFIX % 'update' DELETE = PREFIX % 'delete' -DEPRECATED_REASON = """ -The resource classes API now supports a read-only role by default. -""" - -deprecated_list_resource_classes = policy.DeprecatedRule( - name=LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_show_resource_class = policy.DeprecatedRule( - name=SHOW, - check_str=base.RULE_ADMIN_API -) -deprecated_create_resource_class = policy.DeprecatedRule( - name=CREATE, - check_str=base.RULE_ADMIN_API -) -deprecated_update_resource_class = policy.DeprecatedRule( - name=UPDATE, - check_str=base.RULE_ADMIN_API -) -deprecated_delete_resource_class = policy.DeprecatedRule( - name=DELETE, - check_str=base.RULE_ADMIN_API -) - - rules = [ policy.DocumentedRuleDefault( name=LIST, @@ -62,9 +35,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_resource_classes, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=CREATE, check_str=base.SYSTEM_ADMIN, @@ -76,9 +47,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_create_resource_class, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=SHOW, check_str=base.SYSTEM_READER, @@ -90,9 +59,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_show_resource_class, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=UPDATE, check_str=base.SYSTEM_ADMIN, @@ -104,9 +71,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_update_resource_class, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=DELETE, check_str=base.SYSTEM_ADMIN, @@ -118,9 +83,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_delete_resource_class, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), ] diff --git a/placement/policies/resource_provider.py b/placement/policies/resource_provider.py index 8c1a48cf2..04732c8fa 100644 --- a/placement/policies/resource_provider.py +++ b/placement/policies/resource_provider.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -24,32 +23,6 @@ SHOW = PREFIX % 'show' UPDATE = PREFIX % 'update' DELETE = PREFIX % 'delete' -DEPRECATED_REASON = """ -The resource provider API now supports a read-only role by default. -""" - -deprecated_list_resource_providers = policy.DeprecatedRule( - name=LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_show_resource_provider = policy.DeprecatedRule( - name=SHOW, - check_str=base.RULE_ADMIN_API -) -deprecated_create_resource_provider = policy.DeprecatedRule( - name=CREATE, - check_str=base.RULE_ADMIN_API -) -deprecated_update_resource_provider = policy.DeprecatedRule( - name=UPDATE, - check_str=base.RULE_ADMIN_API -) -deprecated_delete_resource_provider = policy.DeprecatedRule( - name=DELETE, - check_str=base.RULE_ADMIN_API -) - - rules = [ policy.DocumentedRuleDefault( name=LIST, @@ -62,9 +35,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_resource_providers, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=CREATE, check_str=base.SYSTEM_ADMIN, @@ -76,9 +47,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_create_resource_provider, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=SHOW, check_str=base.SYSTEM_READER, @@ -90,9 +59,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_show_resource_provider, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=UPDATE, check_str=base.SYSTEM_ADMIN, @@ -104,9 +71,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_update_resource_provider, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=DELETE, check_str=base.SYSTEM_ADMIN, @@ -118,9 +83,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_delete_resource_provider, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), ] diff --git a/placement/policies/trait.py b/placement/policies/trait.py index ab2482344..df81637a9 100644 --- a/placement/policies/trait.py +++ b/placement/policies/trait.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -28,40 +27,6 @@ TRAITS_SHOW = TRAITS_PREFIX % 'show' TRAITS_UPDATE = TRAITS_PREFIX % 'update' TRAITS_DELETE = TRAITS_PREFIX % 'delete' -DEPRECATED_REASON = """ -The traits API now supports a read-only role by default. -""" - -deprecated_list_traits = policy.DeprecatedRule( - name=TRAITS_LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_show_trait = policy.DeprecatedRule( - name=TRAITS_SHOW, - check_str=base.RULE_ADMIN_API -) -deprecated_rp_traits_list = policy.DeprecatedRule( - name=RP_TRAIT_LIST, - check_str=base.RULE_ADMIN_API -) -deprecated_traits_update = policy.DeprecatedRule( - name=TRAITS_UPDATE, - check_str=base.RULE_ADMIN_API -) -deprecated_traits_delete = policy.DeprecatedRule( - name=TRAITS_DELETE, - check_str=base.RULE_ADMIN_API -) -deprecated_rp_trait_update = policy.DeprecatedRule( - name=RP_TRAIT_UPDATE, - check_str=base.RULE_ADMIN_API -) -deprecated_rp_trait_delete = policy.DeprecatedRule( - name=RP_TRAIT_DELETE, - check_str=base.RULE_ADMIN_API -) - - rules = [ policy.DocumentedRuleDefault( name=TRAITS_LIST, @@ -74,9 +39,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_traits, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=TRAITS_SHOW, @@ -89,9 +51,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_show_trait, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=TRAITS_UPDATE, @@ -104,9 +63,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_traits_update, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=TRAITS_DELETE, @@ -119,9 +75,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_traits_delete, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=RP_TRAIT_LIST, @@ -134,9 +87,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_rp_traits_list, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=RP_TRAIT_UPDATE, @@ -149,9 +99,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_rp_trait_update, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=RP_TRAIT_DELETE, @@ -164,9 +111,6 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_rp_trait_delete, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY ), ] diff --git a/placement/policies/usage.py b/placement/policies/usage.py index 9a69f2904..37aec6e0f 100644 --- a/placement/policies/usage.py +++ b/placement/policies/usage.py @@ -11,7 +11,6 @@ # under the License. -from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -20,20 +19,6 @@ from placement.policies import base PROVIDER_USAGES = 'placement:resource_providers:usages' TOTAL_USAGES = 'placement:usages' -DEPRECATED_REASON = """ -The usage API now supports a read-only role by default. -""" - -deprecated_list_rp_usages = policy.DeprecatedRule( - name=PROVIDER_USAGES, - check_str=base.RULE_ADMIN_API -) -deprecated_list_total_usages = policy.DeprecatedRule( - name=TOTAL_USAGES, - check_str=base.RULE_ADMIN_API -) - - rules = [ policy.DocumentedRuleDefault( name=PROVIDER_USAGES, @@ -46,9 +31,7 @@ rules = [ } ], scope_types=['system'], - deprecated_rule=deprecated_list_rp_usages, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY), + ), policy.DocumentedRuleDefault( name=TOTAL_USAGES, check_str=base.PROJECT_READER_OR_SYSTEM_READER, @@ -60,9 +43,7 @@ rules = [ } ], scope_types=['system', 'project'], - deprecated_rule=deprecated_list_total_usages, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY) + ), ]