Implement secure RBAC for allocation candidates

This commit updates the policies for the allocation candidates resource in
placement to support read-only roles.

This is part of a broader community effort to support read-only roles
and implement secure, consistent default policies.

Change-Id: I5197484395fd1f1e665e1882bd5884cba88ad40d

placement/policies/allocation_candidate.py

@@ -11,6 +11,7 @@
 #    under the License.
 
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from placement.policies import base
@@ -18,18 +19,31 @@ from placement.policies import base
 
 LIST = 'placement:allocation_candidates:list'
 
+DEPRECATED_REASON = """
+The allocation candidate API now supports read-only roles by default.
+"""
+
+deprecated_list_allocation_candidates = policy.DeprecatedRule(
+    name=LIST,
+    check_str=base.RULE_ADMIN_API
+)
+
+
 rules = [
     policy.DocumentedRuleDefault(
-        LIST,
-        base.RULE_ADMIN_API,
-        "List allocation candidates.",
-        [
+        name=LIST,
+        check_str=base.SYSTEM_READER,
+        description="List allocation candidates.",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/allocation_candidates'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_list_allocation_candidates,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     )
 ]
 

placement/tests/functional/gabbits/allocation-candidates-legacy-rbac.yaml

@@ -0,0 +1,68 @@
+---
+fixtures:
+  - LegacyRBACPolicyFixture
+
+vars:
+  - &project_id $ENVIRON['PROJECT_ID']
+  - &system_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &system_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &project_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_member_headers
+    x-auth-token: user
+    x-roles: member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+
+tests:
+
+- name: system admin can get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *system_admin_headers
+  status: 200
+
+- name: system reader can get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *system_reader_headers
+  status: 200
+
+- name: project admin can get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *project_admin_headers
+  status: 200
+
+- name: project member cannot get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *project_reader_headers
+  status: 403

placement/tests/functional/gabbits/allocation-candidates-secure-rbac.yaml

@@ -0,0 +1,68 @@
+---
+fixtures:
+  - SecureRBACPolicyFixture
+
+vars:
+  - &project_id $ENVIRON['PROJECT_ID']
+  - &system_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &system_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &project_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_member_headers
+    x-auth-token: user
+    x-roles: member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+
+tests:
+
+- name: system admin can get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *system_admin_headers
+  status: 200
+
+- name: system reader can get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *system_reader_headers
+  status: 200
+
+- name: project admin cannot get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot get allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot allocation candidates
+  GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
+  request_headers: *project_reader_headers
+  status: 403