Change default policy to check service project and not role

In TripleO and devstack alike, service users are part of the "service"
project; while TripleO doesn't have a "service" role. So lets depend on
the project to enforce policy. This way this will still work out of the
box with TripleO.

Change-Id: I01cf7b38904bb0311658348dcdc0b0efd4f36c0e
Closes-Bug: #1812844

novajoin/policy.py

@@ -33,10 +33,10 @@ _RULES = [
         'context_is_admin', 'role:admin',
         "Decides what is required for the 'is_admin:True' check to succeed."),
     policy.RuleDefault(
-        'service_role', 'role:service',
+        'service_project', 'project_name:service',
-        "service role"),
+        "service project"),
     policy.RuleDefault(
-        'compute_service_user', 'user_name:nova and rule:service_role',
+        'compute_service_user', 'user_name:nova and rule:service_project',
         "This is usualy the nova service user, which calls the novajoin API, "
         "configured in [vendordata_dynamic_auth] in nova.conf."),
     policy.DocumentedRuleDefault(

novajoin/tests/unit/api/fakes.py

@@ -41,15 +41,17 @@ class HTTPRequest(webob.Request):
             out.environ['novajoin.context'] = FakeRequestContext(
                 user_id=fake.USER_ID,
                 user_name='nova',
-                roles=['service'],
+                roles=[],
                 project_id=fake.PROJECT_ID,
+                project_name='service',
                 is_admin=use_admin_context)
         else:
             out.environ['novajoin.context'] = FakeRequestContext(
                 user_id=fake.USER_ID,
                 user_name='not_nova',
-                roles=['not_service'],
+                roles=[],
                 project_id=fake.PROJECT_ID,
+                project_name='not_service',
                 is_admin=use_admin_context)
         out.api_version_request = Join(version)
         return out