policy: Deprecate 'admin_api' rule

All of our granular rules have been transitioned across to the new scoped policies, which means we can deprecate this base rule itself. Change-Id: I2153099e5e6adc9fd276089194f5ec5bf4975420 Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2021-01-25 12:32:42 +00:00 · 2021-01-25 12:32:42 +00:00 · 6498534c3b
parent d3f42f463a
commit 6498534c3b
1 changed files with 12 additions and 1 deletions
--- a/placement/policies/base.py
+++ b/placement/policies/base.py
@ -10,6 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from oslo_log import versionutils
 from oslo_policy import policy

 RULE_ADMIN_API = 'rule:admin_api'
@ -22,12 +23,22 @@ SYSTEM_READER = 'role:reader and system_scope:all'
 PROJECT_READER = 'role:reader and project_id:%(project_id)s'
 PROJECT_READER_OR_SYSTEM_READER = f'({SYSTEM_READER}) or ({PROJECT_READER})'

+_DEPRECATED_REASON = """
+Placement API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in the placement 6.0.0 (Xena) release.
+"""
+
 rules = [
    policy.RuleDefault(
        "admin_api",
        "role:admin",
        description="Default rule for most placement APIs.",
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_for_removal=True,
+        deprecated_reason=_DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY,
+    ),
 ]