Add support for service role in discovery API

The stores detail API used to only accepts request from admin users.
This patch modifies the policy to handle service to service interaction
to let other services (like cinder) use the information for
optimization use cases.

Change-Id: If193866b21bba1100d1e2ee7ffc2e3bd45474c05

glance/policies/base.py

@@ -89,6 +89,9 @@ SERVICE_OR_PROJECT_MEMBER = (
 )
 
 SERVICE = 'rule:service_api'
+SERVICE_ROLE = 'service_roles:service'
+
+ADMIN_OR_SERVICE_ROLE = f'{ADMIN} or {SERVICE_ROLE}'
 
 rules = [
     policy.RuleDefault(name='default', check_str='',

glance/policies/discovery.py

@@ -20,13 +20,17 @@ from glance.policies import base
 discovery_policies = [
     policy.DocumentedRuleDefault(
         name="stores_info_detail",
-        check_str=base.ADMIN,
+        check_str=base.ADMIN_OR_SERVICE_ROLE,
         scope_types=['project'],
         description='Expose store specific information',
         operations=[
             {'path': '/v2/info/stores/detail',
              'method': 'GET'}
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name="stores_info_detail", check_str=base.ADMIN,
+            deprecated_reason="Stores info detail now supports service role.",
+            deprecated_since="2025.1"),
     ),
 ]
 

releasenotes/notes/add-service-role-to-discovery-e37eb2fd74ed20ef.yaml

@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The ``stores_info_detail`` policy has deprecated the rule
+    ``rule:context_is_admin`` in favor of ``rule:context_is_admin AND
+    service_roles:service`` to allow service to service interaction.
+deprecations:
+  - |
+    The ``stores_info_detail`` policy has deprecated the rule
+    ``rule:context_is_admin`` in favor of ``rule:context_is_admin AND
+    service_roles:service`` to allow service to service interaction.