Squash dac_admin privsep context.

As discussed at the PTG, squash the dac_admin privsep context into
the sysadmin context.

Change-Id: I10142be4baa404835fabebd50f7f976ca6ec402e
blueprint: hurrah-for-privsep

3 files changed, 11 insertions, 25 deletions

diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py
index 03315131ca..c0e138a692 100644
--- a/nova/privsep/__init__.py
+++ b/nova/privsep/__init__.py
@@ -18,19 +18,6 @@
 from oslo_privsep import capabilities
 from oslo_privsep import priv_context
 
-# NOTE(tonyb): DAC == Discriminatory Access Control.  Basically this context
-#              can bypass permissions checks in the file-system.
-dac_admin_pctxt = priv_context.PrivContext(
-    'nova',
-    cfg_section='nova_dac_admin',
-    pypath=__name__ + '.dac_admin_pctxt',
-    capabilities=[capabilities.CAP_CHOWN,
-                  capabilities.CAP_DAC_OVERRIDE,
-                  capabilities.CAP_DAC_READ_SEARCH,
-                  capabilities.CAP_FOWNER],
-)
-
-
 # NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes
 dacnet_admin_pctxt = priv_context.PrivContext(
     'nova',
diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py
index 6c2844f318..4f7f313c61 100644
--- a/nova/privsep/libvirt.py
+++ b/nova/privsep/libvirt.py
@@ -14,8 +14,7 @@
 #    under the License.
 
 """
-libvirt specific routines that use the dac_admin_pctxt to bypass file-system
-checks.
+libvirt specific routines.
 """
 
 import errno
@@ -24,7 +23,7 @@ import os
 import nova.privsep
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def last_bytes(path, num):
     # NOTE(mikal): this is implemented in this contrived manner because you
     # can't mock a decorator in python (they're loaded at file parse time,
diff --git a/nova/privsep/path.py b/nova/privsep/path.py
index e84070ccab..b82a5f580d 100644
--- a/nova/privsep/path.py
+++ b/nova/privsep/path.py
@@ -13,7 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-"""Routines that use the dac_admin_pctxt to bypass file-system checks"""
+"""Routines that bypass file-system checks."""
 
 import os
 
@@ -23,7 +23,7 @@ from nova import exception
 import nova.privsep
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def readfile(path):
     if not os.path.exists(path):
         raise exception.FileNotFound(file_path=path)
@@ -31,7 +31,7 @@ def readfile(path):
         return f.read()
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def writefile(path, mode, content):
     if not os.path.exists(path):
         raise exception.FileNotFound(file_path=path)
@@ -39,33 +39,33 @@ def writefile(path, mode, content):
         f.write(content)
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def readlink(path):
     if not os.path.exists(path):
         raise exception.FileNotFound(file_path=path)
     return os.readlink(path)
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def chown(path, uid=-1, gid=-1):
     if not os.path.exists(path):
         raise exception.FileNotFound(file_path=path)
     return os.chown(path, uid, gid)
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def makedirs(path):
     fileutils.ensure_tree(path)
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def chmod(path, mode):
     if not os.path.exists(path):
         raise exception.FileNotFound(file_path=path)
     os.chmod(path, mode)
 
 
-@nova.privsep.dac_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def utime(path):
     if not os.path.exists(path):
         raise exception.FileNotFound(file_path=path)
@@ -79,6 +79,6 @@ def utime(path):
 
 class path(object):
     @staticmethod
-    @nova.privsep.dac_admin_pctxt.entrypoint
+    @nova.privsep.sys_admin_pctxt.entrypoint
     def exists(path):
         return os.path.exists(path)