From 5633d348e3307a58161c5caee2223ef151272011 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 22 Jan 2019 13:51:34 +0200
Subject: [PATCH] Change default policy to check service project and not role

In TripleO and devstack alike, service users are part of the "service"
project; while TripleO doesn't have a "service" role. So lets depend on
the project to enforce policy. This way this will still work out of the
box with TripleO.

Change-Id: I01cf7b38904bb0311658348dcdc0b0efd4f36c0e
Closes-Bug: #1812844
---
 novajoin/policy.py               | 6 +++---
 novajoin/tests/unit/api/fakes.py | 6 ++++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/novajoin/policy.py b/novajoin/policy.py
index ecc4007..1cf689e 100644
--- a/novajoin/policy.py
+++ b/novajoin/policy.py
@@ -33,10 +33,10 @@ _RULES = [
         'context_is_admin', 'role:admin',
         "Decides what is required for the 'is_admin:True' check to succeed."),
     policy.RuleDefault(
-        'service_role', 'role:service',
-        "service role"),
+        'service_project', 'project_name:service',
+        "service project"),
     policy.RuleDefault(
-        'compute_service_user', 'user_name:nova and rule:service_role',
+        'compute_service_user', 'user_name:nova and rule:service_project',
         "This is usualy the nova service user, which calls the novajoin API, "
         "configured in [vendordata_dynamic_auth] in nova.conf."),
     policy.DocumentedRuleDefault(
diff --git a/novajoin/tests/unit/api/fakes.py b/novajoin/tests/unit/api/fakes.py
index 599c9ce..7e21cbf 100644
--- a/novajoin/tests/unit/api/fakes.py
+++ b/novajoin/tests/unit/api/fakes.py
@@ -41,15 +41,17 @@ class HTTPRequest(webob.Request):
             out.environ['novajoin.context'] = FakeRequestContext(
                 user_id=fake.USER_ID,
                 user_name='nova',
-                roles=['service'],
+                roles=[],
                 project_id=fake.PROJECT_ID,
+                project_name='service',
                 is_admin=use_admin_context)
         else:
             out.environ['novajoin.context'] = FakeRequestContext(
                 user_id=fake.USER_ID,
                 user_name='not_nova',
-                roles=['not_service'],
+                roles=[],
                 project_id=fake.PROJECT_ID,
+                project_name='not_service',
                 is_admin=use_admin_context)
         out.api_version_request = Join(version)
         return out