Add new default roles in security group policies

This adds new defaults roles in security group API policies.
- GET rules are made granular and default to System or project reader
- add/remove sec grps policies are default to system admin or project member.

Added new context of other_project_reader for system and project reader
policy so that we can verify the other projct with its id not by role.

Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: I83783aa3384d3b667729bbdd4a13fb014176ec75

1 files changed, 3 insertions, 0 deletions

diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index 8ac81a744a..73d5ef1ddc 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -430,6 +430,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-rescue",
 "os_compute_api:os-unrescue",
 "os_compute_api:os-security-groups",
+"os_compute_api:os-security-groups:add",
+"os_compute_api:os-security-groups:remove",
 "os_compute_api:os-server-password",
 "os_compute_api:os-server-tags:delete",
 "os_compute_api:os-server-tags:delete_all",
@@ -471,6 +473,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 )
 
         self.system_reader_or_owner_rules = (
+"os_compute_api:os-security-groups:list",
 "os_compute_api:os-volumes-attachments:index",
 "os_compute_api:os-volumes-attachments:show",
 "os_compute_api:os-attach-interfaces:list",