Merge "Allow easier admin override in policies"

6 files changed, 22 insertions, 19 deletions

diff --git a/glance/policies/base.py b/glance/policies/base.py
index 77d023414..3f51eb37a 100644
--- a/glance/policies/base.py
+++ b/glance/policies/base.py
@@ -57,33 +57,33 @@ PROJECT_READER_OR_PUBLIC_NAMESPACE = (
 # typical in OpenStack services. But following check strings offer formal
 # support for project membership and a read-only variant consistent with
 # other OpenStack services.
-ADMIN_OR_PROJECT_MEMBER = f'role:admin or ({PROJECT_MEMBER})'
-ADMIN_OR_PROJECT_READER = f'role:admin or ({PROJECT_READER})'
+ADMIN_OR_PROJECT_MEMBER = f'rule:context_is_admin or ({PROJECT_MEMBER})'
+ADMIN_OR_PROJECT_READER = f'rule:context_is_admin or ({PROJECT_READER})'
 ADMIN_OR_PROJECT_READER_GET_IMAGE = (
-    f'role:admin or '
+    f'rule:context_is_admin or '
     f'({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
 )
 ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = (
-    f'role:admin or '
+    f'rule:context_is_admin or '
     f'({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
 )
 ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE = (
-    f'role:admin or ({PROJECT_MEMBER} and project_id:%(owner)s)'
+    f'rule:context_is_admin or ({PROJECT_MEMBER} and project_id:%(owner)s)'
 )
 ADMIN_OR_PROJECT_READER_GET_NAMESPACE = (
-    f'role:admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
+    f'rule:context_is_admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
 )
 
 
 ADMIN_OR_SHARED_MEMBER = (
-    f'role:admin or (role:member and {IMAGE_MEMBER_CHECK})'
+    f'rule:context_is_admin or (role:member and {IMAGE_MEMBER_CHECK})'
 )
 ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER = (
-    f'role:admin or '
+    f'rule:context_is_admin or '
     f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})'
 )
 
-ADMIN = f'role:admin'
+ADMIN = f'rule:context_is_admin'
 
 rules = [
     policy.RuleDefault(name='default', check_str='',
@@ -92,7 +92,7 @@ rules = [
                                    'policy in the supplied policy.json file.',
                        deprecated_rule=policy.DeprecatedRule(
                            name='default',
-                           check_str='role:admin',
+                           check_str='rule:context_is_admin',
                            deprecated_reason='In order to allow operators to '
                            'accept the default policies from code by not '
                            'defining them in the policy file, while still '
diff --git a/glance/policies/discovery.py b/glance/policies/discovery.py
index 50a421330..5a0b86e88 100644
--- a/glance/policies/discovery.py
+++ b/glance/policies/discovery.py
@@ -18,7 +18,7 @@ from oslo_policy import policy
 discovery_policies = [
     policy.DocumentedRuleDefault(
         name="stores_info_detail",
-        check_str='role:admin',
+        check_str='rule:context_is_admin',
         scope_types=['project'],
         description='Expose store specific information',
         operations=[
diff --git a/glance/policies/image.py b/glance/policies/image.py
index c4400ec0b..1fdd97acc 100644
--- a/glance/policies/image.py
+++ b/glance/policies/image.py
@@ -93,7 +93,7 @@ image_policies = [
     ),
     policy.DocumentedRuleDefault(
         name="publicize_image",
-        check_str='role:admin',
+        check_str='rule:context_is_admin',
         scope_types=['project'],
         description='Publicize given image',
         operations=[
@@ -147,7 +147,7 @@ image_policies = [
 
     policy.DocumentedRuleDefault(
         name="delete_image_location",
-        check_str="role:admin",
+        check_str="rule:context_is_admin",
         scope_types=['project'],
         description='Deletes the location of given image',
         operations=[
@@ -261,7 +261,7 @@ image_policies = [
 
     policy.RuleDefault(
         name="manage_image_cache",
-        check_str='role:admin',
+        check_str='rule:context_is_admin',
         scope_types=['project'],
         description='Manage image cache'
     ),
@@ -297,7 +297,7 @@ image_policies = [
 
     policy.DocumentedRuleDefault(
         name="copy_image",
-        check_str='role:admin',
+        check_str='rule:context_is_admin',
         # For now this is restricted to project-admins.
         # That might change in the future if we decide to push
         # this functionality down to project-members.
diff --git a/glance/policies/metadef.py b/glance/policies/metadef.py
index d1feaaed8..84641f42c 100644
--- a/glance/policies/metadef.py
+++ b/glance/policies/metadef.py
@@ -23,7 +23,8 @@ The metadata API now supports project scope and default roles.
 
 metadef_policies = [
     policy.RuleDefault(name="metadef_default", check_str=""),
-    policy.RuleDefault(name="metadef_admin", check_str="role:admin"),
+    policy.RuleDefault(name="metadef_admin",
+                       check_str="rule:context_is_admin"),
     policy.DocumentedRuleDefault(
         name="get_metadef_namespace",
         check_str=base.ADMIN_OR_PROJECT_READER_GET_NAMESPACE,
diff --git a/glance/policies/tasks.py b/glance/policies/tasks.py
index 42d25a5f6..64aa9e42a 100644
--- a/glance/policies/tasks.py
+++ b/glance/policies/tasks.py
@@ -101,7 +101,7 @@ task_policies = [
     ),
     policy.DocumentedRuleDefault(
         name="tasks_api_access",
-        check_str="role:admin",
+        check_str="rule:context_is_admin",
         scope_types=['project'],
         description=TASK_ACCESS_DESCRIPTION,
         operations=[
diff --git a/glance/tests/unit/test_policy.py b/glance/tests/unit/test_policy.py
index b37268592..a78f6b315 100644
--- a/glance/tests/unit/test_policy.py
+++ b/glance/tests/unit/test_policy.py
@@ -486,7 +486,8 @@ class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest):
         self.assertEqual(expected, base_policy.PROJECT_MEMBER)
 
     def test_admin_or_project_member_check_string(self):
-        expected = 'role:admin or (role:member and project_id:%(project_id)s)'
+        expected = ('rule:context_is_admin or '
+                    '(role:member and project_id:%(project_id)s)')
         self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_MEMBER)
 
     def test_project_member_download_image_check_string(self):
@@ -506,7 +507,8 @@ class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest):
         self.assertEqual(expected, base_policy.PROJECT_READER)
 
     def test_admin_or_project_reader_check_string(self):
-        expected = 'role:admin or (role:reader and project_id:%(project_id)s)'
+        expected = ('rule:context_is_admin or '
+                    '(role:reader and project_id:%(project_id)s)')
         self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_READER)
 
     def test_project_reader_get_image_check_string(self):