Move policy deprecation to base rules

All the policy rules are deprecated for base.RULE_ADMIN_API
so we can add this deprecation to base rule for system scope
which further can be used as new default for policies.

Change-Id: Idf028b44daab0469059d036c48d7c6ca36b01d96
This commit is contained in:
Ghanshyam Mann 2021-01-27 16:47:19 -06:00
parent b2ecae242d
commit fcb761376b
10 changed files with 59 additions and 296 deletions

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -22,19 +21,6 @@ LIST = PREFIX % 'list'
UPDATE = PREFIX % 'update'
BASE_PATH = '/resource_providers/{uuid}/aggregates'
DEPRECATED_REASON = """
The aggregates API now supports a read-only role by default.
"""
deprecated_list_aggregates = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_update_aggregates = policy.DeprecatedRule(
name=UPDATE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
LIST,
@ -47,9 +33,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_aggregates,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
UPDATE,
@ -62,9 +45,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_update_aggregates,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -25,32 +24,6 @@ ALLOC_MANAGE = ALLOC_PREFIX % 'manage'
ALLOC_UPDATE = ALLOC_PREFIX % 'update'
ALLOC_DELETE = ALLOC_PREFIX % 'delete'
DEPRECATED_REASON = """
The allocation API now supports read-only roles by default.
"""
deprecated_manage_allocations = policy.DeprecatedRule(
name=ALLOC_MANAGE,
check_str=base.RULE_ADMIN_API
)
deprecated_list_allocation = policy.DeprecatedRule(
name=ALLOC_LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_update_allocation = policy.DeprecatedRule(
name=ALLOC_UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_allocation = policy.DeprecatedRule(
name=ALLOC_DELETE,
check_str=base.RULE_ADMIN_API
)
deprecated_list_resource_provider_allocations = policy.DeprecatedRule(
name=RP_ALLOC_LIST,
check_str=base.RULE_ADMIN_API,
)
rules = [
policy.DocumentedRuleDefault(
name=ALLOC_MANAGE,
@ -63,9 +36,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_manage_allocations,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=ALLOC_LIST,
@ -78,9 +48,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_allocation,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=ALLOC_UPDATE,
@ -93,9 +60,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_update_allocation,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=ALLOC_DELETE,
@ -108,9 +72,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_delete_allocation,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=RP_ALLOC_LIST,
@ -123,9 +84,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_resource_provider_allocations,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -19,16 +18,6 @@ from placement.policies import base
LIST = 'placement:allocation_candidates:list'
DEPRECATED_REASON = """
The allocation candidate API now supports read-only roles by default.
"""
deprecated_list_allocation_candidates = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
name=LIST,
@ -41,9 +30,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_allocation_candidates,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
]

View File

@ -14,14 +14,20 @@ from oslo_log import versionutils
from oslo_policy import policy
RULE_ADMIN_API = 'rule:admin_api'
DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
name=RULE_ADMIN_API,
check_str='role:admin'
)
# NOTE(lbragstad): We might consider converting these generic checks into
# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the
# approach in oslo.policy and consume a new version. Until we have that done,
# let's continue using generic check strings.
SYSTEM_ADMIN = 'role:admin and system_scope:all'
SYSTEM_READER = 'role:reader and system_scope:all'
PROJECT_READER = 'role:reader and project_id:%(project_id)s'
PROJECT_READER_OR_SYSTEM_READER = f'({SYSTEM_READER}) or ({PROJECT_READER})'
SYSTEM_ADMIN = 'rule:system_admin_api'
SYSTEM_READER = 'rule:system_reader_api'
PROJECT_READER = 'rule:project_reader_api'
PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader'
_DEPRECATED_REASON = """
Placement API policies are introducing new default roles with scope_type
@ -39,6 +45,38 @@ rules = [
deprecated_reason=_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
policy.RuleDefault(
name="system_admin_api",
check_str='role:admin and system_scope:all',
description="Default rule for System Admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY,
deprecated_reason=_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
policy.RuleDefault(
name="system_reader_api",
check_str="role:reader and system_scope:all",
description="Default rule for System level read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY,
deprecated_reason=_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
policy.RuleDefault(
name="project_reader_api",
check_str="role:reader and project_id:%(project_id)s",
description="Default rule for Project level read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY,
deprecated_reason=_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
policy.RuleDefault(
name="system_or_project_reader",
check_str="rule:system_reader_api or rule:project_reader_api",
description="Default rule for System+Project read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY,
deprecated_reason=_DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -25,32 +24,6 @@ UPDATE = PREFIX % 'update'
DELETE = PREFIX % 'delete'
BASE_PATH = '/resource_providers/{uuid}/inventories'
DEPRECATED_REASON = """
The inventory API now supports a read-only role by default.
"""
deprecated_list_inventories = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_create_inventory = policy.DeprecatedRule(
name=CREATE,
check_str=base.RULE_ADMIN_API
)
deprecated_show_inventory = policy.DeprecatedRule(
name=SHOW,
check_str=base.RULE_ADMIN_API
)
deprecated_update_inventory = policy.DeprecatedRule(
name=UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_inventory = policy.DeprecatedRule(
name=DELETE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
name=LIST,
@ -63,9 +36,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_inventories,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=CREATE,
check_str=base.SYSTEM_ADMIN,
@ -77,9 +48,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_create_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=SHOW,
check_str=base.SYSTEM_READER,
@ -91,9 +60,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_show_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
@ -109,9 +76,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_update_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=DELETE,
check_str=base.SYSTEM_ADMIN,
@ -127,9 +92,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_delete_inventory,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -20,15 +19,6 @@ from placement.policies import base
PREFIX = 'placement:reshaper:%s'
RESHAPE = PREFIX % 'reshape'
deprecated_reshape = policy.DeprecatedRule(
name=RESHAPE,
check_str=base.RULE_ADMIN_API,
)
DEPRECATED_REASON = """
The reshape API now supports scoped rule by default.
"""
rules = [
policy.DocumentedRuleDefault(
RESHAPE,
@ -41,9 +31,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_reshape,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -24,32 +23,6 @@ SHOW = PREFIX % 'show'
UPDATE = PREFIX % 'update'
DELETE = PREFIX % 'delete'
DEPRECATED_REASON = """
The resource classes API now supports a read-only role by default.
"""
deprecated_list_resource_classes = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_show_resource_class = policy.DeprecatedRule(
name=SHOW,
check_str=base.RULE_ADMIN_API
)
deprecated_create_resource_class = policy.DeprecatedRule(
name=CREATE,
check_str=base.RULE_ADMIN_API
)
deprecated_update_resource_class = policy.DeprecatedRule(
name=UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_resource_class = policy.DeprecatedRule(
name=DELETE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
name=LIST,
@ -62,9 +35,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_resource_classes,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=CREATE,
check_str=base.SYSTEM_ADMIN,
@ -76,9 +47,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_create_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=SHOW,
check_str=base.SYSTEM_READER,
@ -90,9 +59,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_show_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
@ -104,9 +71,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_update_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=DELETE,
check_str=base.SYSTEM_ADMIN,
@ -118,9 +83,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_delete_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -24,32 +23,6 @@ SHOW = PREFIX % 'show'
UPDATE = PREFIX % 'update'
DELETE = PREFIX % 'delete'
DEPRECATED_REASON = """
The resource provider API now supports a read-only role by default.
"""
deprecated_list_resource_providers = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_show_resource_provider = policy.DeprecatedRule(
name=SHOW,
check_str=base.RULE_ADMIN_API
)
deprecated_create_resource_provider = policy.DeprecatedRule(
name=CREATE,
check_str=base.RULE_ADMIN_API
)
deprecated_update_resource_provider = policy.DeprecatedRule(
name=UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_resource_provider = policy.DeprecatedRule(
name=DELETE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
name=LIST,
@ -62,9 +35,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_resource_providers,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=CREATE,
check_str=base.SYSTEM_ADMIN,
@ -76,9 +47,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_create_resource_provider,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=SHOW,
check_str=base.SYSTEM_READER,
@ -90,9 +59,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_show_resource_provider,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
@ -104,9 +71,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_update_resource_provider,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=DELETE,
check_str=base.SYSTEM_ADMIN,
@ -118,9 +83,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_delete_resource_provider,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -28,40 +27,6 @@ TRAITS_SHOW = TRAITS_PREFIX % 'show'
TRAITS_UPDATE = TRAITS_PREFIX % 'update'
TRAITS_DELETE = TRAITS_PREFIX % 'delete'
DEPRECATED_REASON = """
The traits API now supports a read-only role by default.
"""
deprecated_list_traits = policy.DeprecatedRule(
name=TRAITS_LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_show_trait = policy.DeprecatedRule(
name=TRAITS_SHOW,
check_str=base.RULE_ADMIN_API
)
deprecated_rp_traits_list = policy.DeprecatedRule(
name=RP_TRAIT_LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_traits_update = policy.DeprecatedRule(
name=TRAITS_UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_traits_delete = policy.DeprecatedRule(
name=TRAITS_DELETE,
check_str=base.RULE_ADMIN_API
)
deprecated_rp_trait_update = policy.DeprecatedRule(
name=RP_TRAIT_UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_rp_trait_delete = policy.DeprecatedRule(
name=RP_TRAIT_DELETE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
name=TRAITS_LIST,
@ -74,9 +39,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_traits,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=TRAITS_SHOW,
@ -89,9 +51,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_show_trait,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=TRAITS_UPDATE,
@ -104,9 +63,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_traits_update,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=TRAITS_DELETE,
@ -119,9 +75,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_traits_delete,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=RP_TRAIT_LIST,
@ -134,9 +87,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_rp_traits_list,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=RP_TRAIT_UPDATE,
@ -149,9 +99,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_rp_trait_update,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=RP_TRAIT_DELETE,
@ -164,9 +111,6 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_rp_trait_delete,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
]

View File

@ -11,7 +11,6 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -20,20 +19,6 @@ from placement.policies import base
PROVIDER_USAGES = 'placement:resource_providers:usages'
TOTAL_USAGES = 'placement:usages'
DEPRECATED_REASON = """
The usage API now supports a read-only role by default.
"""
deprecated_list_rp_usages = policy.DeprecatedRule(
name=PROVIDER_USAGES,
check_str=base.RULE_ADMIN_API
)
deprecated_list_total_usages = policy.DeprecatedRule(
name=TOTAL_USAGES,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
name=PROVIDER_USAGES,
@ -46,9 +31,7 @@ rules = [
}
],
scope_types=['system'],
deprecated_rule=deprecated_list_rp_usages,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name=TOTAL_USAGES,
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
@ -60,9 +43,7 @@ rules = [
}
],
scope_types=['system', 'project'],
deprecated_rule=deprecated_list_total_usages,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
]