Add new default roles in server password policies

This adds new defaults roles in server password API policies.
- Policies are made granular and default to System or project reader
for get and system admin or owner for clear policy.

Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: I3571b73a3094f5f523ff7b655ca05355c65f90ff

1 files changed, 2 insertions, 1 deletions

diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index 4fe9448a2f..37871da2ff 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -429,7 +429,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-security-groups",
 "os_compute_api:os-security-groups:add",
 "os_compute_api:os-security-groups:remove",
-"os_compute_api:os-server-password",
+"os_compute_api:os-server-password:clear",
 "os_compute_api:os-server-tags:delete",
 "os_compute_api:os-server-tags:delete_all",
 "os_compute_api:os-server-tags:update",
@@ -478,6 +478,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-attach-interfaces:show",
 "os_compute_api:os-instance-actions:list",
 "os_compute_api:os-instance-actions:show",
+"os_compute_api:os-server-password:show",
 "os_compute_api:os-server-tags:index",
 "os_compute_api:os-server-tags:show",
 )