Merge "policy: Remove the deprecated 'placement' rule"

This commit is contained in:
Zuul 2021-02-03 18:49:42 +00:00 committed by Gerrit Code Review
commit d3f42f463a
4 changed files with 12 additions and 18 deletions

View File

@ -23,21 +23,6 @@ PROJECT_READER = 'role:reader and project_id:%(project_id)s'
PROJECT_READER_OR_SYSTEM_READER = f'({SYSTEM_READER}) or ({PROJECT_READER})'
rules = [
# "placement" is the default rule (action) used for all routes that do
# not yet have granular policy rules. It is used in
# PlacementHandler.__call__ and can be dropped once all routes have
# granular policy handling.
policy.RuleDefault(
"placement",
"role:admin",
description="This rule is used for all routes that do not yet "
"have granular policy rules. It will be replaced "
"with rule:admin_api.",
deprecated_for_removal=True,
deprecated_reason="This was a catch-all rule hard-coded into "
"the placement service and has been superseded by "
"granular policy rules per operation.",
deprecated_since="18.0.0"),
policy.RuleDefault(
"admin_api",
"role:admin",

View File

@ -749,7 +749,7 @@ class OpenPolicyFixture(APIFixture):
for rule in policies.list_rules():
name = rule.name
# Ignore "base" rules for role:admin.
if name in ['placement', 'admin_api']:
if name in ('admin_api',):
continue
rules[name] = '@'
self.policy_fixture.set_rules(rules)

View File

@ -78,10 +78,13 @@ class PlacementPolicyTestCase(base.ContextTestCase):
"""
fixture = self.useFixture(
policy_fixture.PolicyFixture(self.conf_fixture))
fixture.set_rules({'placement': '!'})
# It doesn't matter which policy we use here so long as it's
# registered.
policy_name = 'placement:resource_providers:list'
fixture.set_rules({policy_name: '!'})
self.assertFalse(
policy.authorize(
self.ctxt, 'placement', self.target, do_raise=False))
self.ctxt, policy_name, self.target, do_raise=False))
def test_init_pick_policy_file_from_oslo_config_option(self):
"""Tests a scenario where the oslo policy enforcer in init pick

View File

@ -0,0 +1,6 @@
---
upgrade:
- |
The deprecated ``placement`` policy has now been removed. This policy was
used prior to the introduction of granular policies in the nova 18.0.0
(Rocky) release.