This adds new defaults roles in vnf-package API policies.
Backward compatibility:
- Old Rules and Defaults will keep working as it is because they
are added as deprecated rules and not removed. They are enabled
by default. This means existing deployement will continue working
in same way till deprecated rules are there and enabled by default.
- Legacy/current admin stays same and no change in their access permission
- Deprecation warning is added for old defaults so that operators will
know that new defaults are available to opt-in.
New defaults(project personas):
- Add new defaults but they are disabled by defaults and operators can adopt them
by enabling the oslo.policy config option. Basically add below in tacker.conf
[oslo_policy]
enforce_new_defaults=True
- All GET (read only) APIs are default to PROJECT_READER_OR_ADMIN
- Rest other APIs (write operations) are default to PROJECT_MEMBER_OR_ADMIN
Adding tests also to check permissions of new defaults.
Partial implement blueprint implement-project-personas
Change-Id: Ic7f5a9cd5aa10d93dfa491e5e60befb1f4bf2fcd
ba24a89998