nova-placement-api-policy.patch

commit 91bc0ed7d25dd6efeeb820ca7cbb1f2af3bd53ab (HEAD -> newton/placement-roles)
Author: Mathieu Gagné <mgagne@iweb.com>
Date:   Thu Nov 30 18:03:22 2017 -0500

    Add ability to override roles allowed to query placement API
    
    Change-Id: I37ac6964a5852aac129107e9be476785ea713fae

diff --git a/nova/api/openstack/placement/handler.py b/nova/api/openstack/placement/handler.py
index 7d41031e37..f1bf225540 100644
--- a/nova/api/openstack/placement/handler.py
+++ b/nova/api/openstack/placement/handler.py
@@ -34,9 +34,11 @@ from nova.api.openstack.placement.handlers import resource_provider
 from nova.api.openstack.placement.handlers import root
 from nova.api.openstack.placement.handlers import usage
 from nova.api.openstack.placement import util
+from nova import conf
 from nova import exception
 from nova.i18n import _, _LE
 
+CONF = conf.CONF
 LOG = logging.getLogger(__name__)
 
 # URLs and Handlers
@@ -150,7 +152,10 @@ class PlacementHandler(object):
             # implement that, probably per handler. Also this is
             # just the wrong way to do things, but policy not
             # integrated yet.
-            if 'admin' not in context.to_policy_values()['roles']:
+            allowed = len(
+                set(CONF.placement.required_roles) &
+                set(context.to_policy_values()['roles'])) != 0
+            if not allowed:
                 raise webob.exc.HTTPForbidden(
                     _('admin required'),
                     json_formatter=util.json_error_formatter)
diff --git a/nova/conf/placement.py b/nova/conf/placement.py
index aa7fa02591..cccb177e29 100644
--- a/nova/conf/placement.py
+++ b/nova/conf/placement.py
@@ -27,6 +27,12 @@ catalog.
 Possible values:
 
 * Any string representing region name
+"""),
+
+    cfg.MultiStrOpt('required_roles',
+               default=['admin'],
+               help="""
+List of roles allowed to query the placement API.
 """),
 ]