[S-RBAC] Get QoS rule types API available for READER role

API call "get_rule_types" should be available in new policies for
all users with READER role as this is kind of the same what was in the
old policies (ANY).

Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/882818

Closes-Bug: #2018585
Change-Id: I8281bd8a902bcaba1187565e9610d598e4ebc254

2 files changed, 5 insertions, 7 deletions

diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py
index 2fc9d0975c..c507a7bdb9 100644
--- a/neutron/conf/policies/qos.py
+++ b/neutron/conf/policies/qos.py
@@ -104,7 +104,11 @@ rules = [
 
     policy.DocumentedRuleDefault(
         name='get_rule_type',
-        check_str=base.ADMIN,
+        # NOTE(ralonsoh): it can't be ADMIN_OR_PROJECT_READER constant from the
+        # base module because that is using "project_id" in the check string
+        # and the rule type resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
         scope_types=['project'],
         description='Get available QoS rule types',
         operations=[
diff --git a/neutron/tests/unit/conf/policies/test_qos.py b/neutron/tests/unit/conf/policies/test_qos.py
index 2b4d7aea03..ff655b298e 100644
--- a/neutron/tests/unit/conf/policies/test_qos.py
+++ b/neutron/tests/unit/conf/policies/test_qos.py
@@ -210,12 +210,6 @@ class ProjectMemberQosRuleTypeTests(AdminQosRuleTypeTests):
         super(ProjectMemberQosRuleTypeTests, self).setUp()
         self.context = self.project_member_ctx
 
-    def test_get_rule_type(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_rule_type', self.target)
-
 
 class ProjectReaderQosRuleTypeTests(ProjectMemberQosRuleTypeTests):