omadjoudj/Victoria-Yoga-diff-flavor_access.py.diff

## Victoria-Yoga-diff-flavor_access.py.diff
--- a/nova/policies/flavor_access.py
+++ b/nova/policies/flavor_access.py
@@ -25,25 +25,27 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
 #  NOTE(gmann): Deprecating this policy explicitly as old defaults
 #  admin or owner is not suitable for that which should be admin (Bug#1867840)
 #  but changing that will break old deployment so let's keep supporting
-# the old default also and new default can be SYSTEM_READER
-# SYSTEM_READER rule in base class is defined with the deprecated rule of admin
+# the old default also and new default can be System Admin.
+# System Admin rule in base class is defined with the deprecated rule of admin
 #  not admin or owner which is the main reason that we need to explicitly
 #  deprecate this policy here.
-DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
-    BASE_POLICY_NAME,
-    base.RULE_ADMIN_OR_OWNER,
-)
-
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
 capabilities. Old policies are deprecated and silently going to be ignored
 in nova 23.0.0 release.
 """

+DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
+    BASE_POLICY_NAME,
+    base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='21.0.0'
+)
+
 flavor_access_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'add_tenant_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Add flavor access to a tenant",
         operations=[
             {
@@ -54,7 +56,7 @@ flavor_access_policies = [
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'remove_tenant_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Remove flavor access from a tenant",
         operations=[
             {
@@ -65,7 +67,7 @@ flavor_access_policies = [
         scope_types=['system']),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="""List flavor access information

 Allows access to the full list of tenants that have access
@@ -78,9 +80,7 @@ to a flavor via an os-flavor-access API.
             },
         ],
         scope_types=['system'],
-        deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY),
 ]
	--- a/nova/policies/flavor_access.py
	+++ b/nova/policies/flavor_access.py
	@@ -25,25 +25,27 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
	# NOTE(gmann): Deprecating this policy explicitly as old defaults
	# admin or owner is not suitable for that which should be admin (Bug#1867840)
	# but changing that will break old deployment so let's keep supporting
	-# the old default also and new default can be SYSTEM_READER
	-# SYSTEM_READER rule in base class is defined with the deprecated rule of admin
	+# the old default also and new default can be System Admin.
	+# System Admin rule in base class is defined with the deprecated rule of admin
	# not admin or owner which is the main reason that we need to explicitly
	# deprecate this policy here.
	-DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
	- BASE_POLICY_NAME,
	- base.RULE_ADMIN_OR_OWNER,
	-)
	-
	DEPRECATED_REASON = """
	Nova API policies are introducing new default roles with scope_type
	capabilities. Old policies are deprecated and silently going to be ignored
	in nova 23.0.0 release.
	"""

	+DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
	+ BASE_POLICY_NAME,
	+ base.RULE_ADMIN_OR_OWNER,
	+ deprecated_reason=DEPRECATED_REASON,
	+ deprecated_since='21.0.0'
	+)
	+
	flavor_access_policies = [
	policy.DocumentedRuleDefault(
	name=POLICY_ROOT % 'add_tenant_access',
	- check_str=base.SYSTEM_ADMIN,
	+ check_str=base.ADMIN,
	description="Add flavor access to a tenant",
	operations=[
	{
	@@ -54,7 +56,7 @@ flavor_access_policies = [
	scope_types=['system']),
	policy.DocumentedRuleDefault(
	name=POLICY_ROOT % 'remove_tenant_access',
	- check_str=base.SYSTEM_ADMIN,
	+ check_str=base.ADMIN,
	description="Remove flavor access from a tenant",
	operations=[
	{
	@@ -65,7 +67,7 @@ flavor_access_policies = [
	scope_types=['system']),
	policy.DocumentedRuleDefault(
	name=BASE_POLICY_NAME,
	- check_str=base.SYSTEM_READER,
	+ check_str=base.ADMIN,
	description="""List flavor access information

	Allows access to the full list of tenants that have access
	@@ -78,9 +80,7 @@ to a flavor via an os-flavor-access API.
	},
	],
	scope_types=['system'],
	- deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY,
	- deprecated_reason=DEPRECATED_REASON,
	- deprecated_since='21.0.0'),
	+ deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY),
	]