Remove deprecated 'os-flavor-manage' policy

Remove the 'os_compute_api:os-flavor-manage' policy.
The 'os_compute_api:os-flavor-manage' policy has been deprecated
since 16.0.0 Pike.
The policy has been replaced with the following policies.

- os_compute_api:os-flavor-manage:create
- os_compute_api:os-flavor-manage:delete

Change-Id: I856498dfcebfa330598a22dd7c660bd6f158351b

doc/source/admin/flavors.rst

@@ -19,8 +19,10 @@ manage flavors. To see information for this command, run:
 .. note::
 
    Configuration rights can be delegated to additional users by redefining
-   the access controls for ``os_compute_api:os-flavor-manage`` in
+   the access controls for ``os_compute_api:os-flavor-manage:create``,
-   ``/etc/nova/policy.json`` on the ``nova-api`` server.
+   ``os_compute_api:os-flavor-manage:update`` and
+   ``os_compute_api:os-flavor-manage:delete`` in ``/etc/nova/policy.json``
+   on the ``nova-api`` server.
 
 .. note::
 

nova/api/openstack/compute/flavor_manage.py

@@ -20,10 +20,8 @@ from nova.api import validation
 from nova.compute import flavors
 from nova import exception
 from nova import objects
-from nova.policies import base
 from nova.policies import flavor_extra_specs as fes_policies
 from nova.policies import flavor_manage as fm_policies
-from nova import policy
 
 
 ALIAS = "os-flavor-manage"
@@ -44,15 +42,7 @@ class FlavorManageController(wsgi.Controller):
     @wsgi.action("delete")
     def _delete(self, req, id):
         context = req.environ['nova.context']
-        # TODO(rb560u): remove this check in future release
+        context.can(fm_policies.POLICY_ROOT % 'delete')
-        using_old_action = \
-            policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME,
-                fm_policies.POLICY_ROOT % 'delete',
-                base.RULE_ADMIN_API,
-                context)
-
-        if not using_old_action:
-            context.can(fm_policies.POLICY_ROOT % 'delete')
 
         flavor = objects.Flavor(context=context, flavorid=id)
         try:
@@ -70,15 +60,7 @@ class FlavorManageController(wsgi.Controller):
                        flavors_view.FLAVOR_DESCRIPTION_MICROVERSION)
     def _create(self, req, body):
         context = req.environ['nova.context']
-        # TODO(rb560u): remove this check in future release
+        context.can(fm_policies.POLICY_ROOT % 'create')
-        using_old_action = \
-            policy.verify_deprecated_policy(fm_policies.BASE_POLICY_NAME,
-                fm_policies.POLICY_ROOT % 'create',
-                base.RULE_ADMIN_API,
-                context)
-
-        if not using_old_action:
-            context.can(fm_policies.POLICY_ROOT % 'create')
 
         vals = body['flavor']
 

nova/policies/flavor_manage.py

@@ -19,32 +19,13 @@ from oslo_policy import policy
 from nova.policies import base
 
 
-BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
 POLICY_ROOT = 'os_compute_api:os-flavor-manage:%s'
-BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME
 
 
 flavor_manage_policies = [
-    # TODO(rb560u): remove this rule in future release
-    policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
-        "Create and delete Flavors. Deprecated in Pike and will be "
-        "removed in future release",
-        [
-            {
-                'method': 'POST',
-                'path': '/flavors'
-            },
-            {
-                'method': 'DELETE',
-                'path': '/flavors/{flavor_id}'
-            },
-
-        ]),
     policy.DocumentedRuleDefault(
         POLICY_ROOT % 'create',
-        BASE_POLICY_RULE,
+        base.RULE_ADMIN_API,
         "Create a flavor",
         [
             {
@@ -64,7 +45,7 @@ flavor_manage_policies = [
         ]),
     policy.DocumentedRuleDefault(
         POLICY_ROOT % 'delete',
-        BASE_POLICY_RULE,
+        base.RULE_ADMIN_API,
         "Delete a flavor",
         [
             {

nova/tests/unit/api/openstack/compute/test_flavor_manage.py

@@ -25,7 +25,6 @@ from nova.compute import flavors
 from nova.db import api as db
 from nova import exception
 from nova import objects
-from nova import policy
 from nova import test
 from nova.tests.unit.api.openstack import fakes
 
@@ -494,7 +493,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
         self.req = fakes.HTTPRequest.blank('')
 
     def test_create_policy_failed(self):
-        rule_name = "os_compute_api:os-flavor-manage"
+        rule_name = "os_compute_api:os-flavor-manage:create"
         self.policy.set_rules({rule_name: "project:non_fake"})
         exc = self.assertRaises(
             exception.PolicyNotAuthorized,
@@ -514,7 +513,7 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
             exc.format_message())
 
     def test_delete_policy_failed(self):
-        rule_name = "os_compute_api:os-flavor-manage"
+        rule_name = "os_compute_api:os-flavor-manage:delete"
         self.policy.set_rules({rule_name: "project:non_fake"})
         exc = self.assertRaises(
             exception.PolicyNotAuthorized,
@@ -526,170 +525,6 @@ class FlavorManagerPolicyEnforcementV21(test.TestCase):
             "Policy doesn't allow %s to be performed." % rule_name,
             exc.format_message())
 
-    @mock.patch.object(policy.LOG, 'warning')
-    def test_create_policy_rbac_inherit_default(self, mock_warning):
-        """Test to verify inherited rule is working. The rule of the
-           deprecated action is not set to the default, so the deprecated
-           action is being enforced
-        """
-
-        default_flavor_policy = "os_compute_api:os-flavor-manage"
-        create_flavor_policy = "os_compute_api:os-flavor-manage:create"
-        rules = {default_flavor_policy: 'is_admin:True',
-                 create_flavor_policy: 'rule:%s' % default_flavor_policy,
-                 "os_compute_api:os-flavor-access": "project:non_fake"}
-        self.policy.set_rules(rules)
-        body = {
-            "flavor": {
-                "name": "azAZ09. -_",
-                "ram": 512,
-                "vcpus": 2,
-                "disk": 1,
-                "OS-FLV-EXT-DATA:ephemeral": 1,
-                "id": six.text_type('1234'),
-                "swap": 512,
-                "rxtx_factor": 1,
-                "os-flavor-access:is_public": True,
-            }
-        }
-        # check for success as admin
-        self.controller._create(self.adm_req, body=body)
-        # check for failure as non-admin
-        exc = self.assertRaises(exception.PolicyNotAuthorized,
-                                self.controller._create, self.req,
-                                body=body)
-        # The deprecated action is being enforced since the rule that is
-        # configured is different than the default rule
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % default_flavor_policy,
-            exc.format_message())
-        mock_warning.assert_called_with("Start using the new action "
-            "'%(new_policy)s'. The existing action '%(old_policy)s' is being "
-            "deprecated and will be removed in future release.",
-            {'new_policy': create_flavor_policy,
-             'old_policy': default_flavor_policy})
-
-    @mock.patch.object(policy.LOG, 'warning')
-    def test_delete_policy_rbac_inherit_default(self, mock_warning):
-        """Test to verify inherited rule is working. The rule of the
-           deprecated action is not set to the default, so the deprecated
-           action is being enforced
-        """
-
-        default_flavor_policy = "os_compute_api:os-flavor-manage"
-        create_flavor_policy = "os_compute_api:os-flavor-manage:create"
-        delete_flavor_policy = "os_compute_api:os-flavor-manage:delete"
-        rules = {default_flavor_policy: 'is_admin:True',
-                 create_flavor_policy: 'rule:%s' % default_flavor_policy,
-                 delete_flavor_policy: 'rule:%s' % default_flavor_policy}
-        self.policy.set_rules(rules)
-        body = {
-            "flavor": {
-                "name": "azAZ09. -_",
-                "ram": 512,
-                "vcpus": 2,
-                "disk": 1,
-                "OS-FLV-EXT-DATA:ephemeral": 1,
-                "id": six.text_type('1234'),
-                "swap": 512,
-                "rxtx_factor": 1,
-                "os-flavor-access:is_public": True,
-            }
-        }
-        self.flavor = self.controller._create(self.adm_req, body=body)
-        mock_warning.assert_called_once_with("Start using the new "
-            "action '%(new_policy)s'. The existing action '%(old_policy)s' "
-            "is being deprecated and will be removed in future release.",
-            {'new_policy': create_flavor_policy,
-             'old_policy': default_flavor_policy})
-        # check for success as admin
-        flavor = self.flavor
-        self.controller._delete(self.adm_req, flavor['flavor']['id'])
-        # check for failure as non-admin
-        flavor = self.flavor
-        exc = self.assertRaises(exception.PolicyNotAuthorized,
-                                self.controller._delete, self.req,
-                                flavor['flavor']['id'])
-        # The deprecated action is being enforced since the rule that is
-        # configured is different than the default rule
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % default_flavor_policy,
-            exc.format_message())
-        mock_warning.assert_called_with("Start using the new "
-            "action '%(new_policy)s'. The existing action '%(old_policy)s' "
-            "is being deprecated and will be removed in future release.",
-            {'new_policy': delete_flavor_policy,
-             'old_policy': default_flavor_policy})
-
-    def test_create_policy_rbac_no_change_to_default_action_rule(self):
-        """Test to verify the correct action is being enforced. When the
-           rule configured for the deprecated action is the same as the
-           default, the new action should be enforced.
-        """
-
-        default_flavor_policy = "os_compute_api:os-flavor-manage"
-        create_flavor_policy = "os_compute_api:os-flavor-manage:create"
-        # The default rule of the deprecated action is admin_api
-        rules = {default_flavor_policy: 'rule:admin_api',
-                 create_flavor_policy: 'rule:%s' % default_flavor_policy}
-        self.policy.set_rules(rules)
-        body = {
-            "flavor": {
-                "name": "azAZ09. -_",
-                "ram": 512,
-                "vcpus": 2,
-                "disk": 1,
-                "OS-FLV-EXT-DATA:ephemeral": 1,
-                "id": six.text_type('1234'),
-                "swap": 512,
-                "rxtx_factor": 1,
-                "os-flavor-access:is_public": True,
-            }
-        }
-        exc = self.assertRaises(exception.PolicyNotAuthorized,
-                                self.controller._create, self.req,
-                                body=body)
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % create_flavor_policy,
-            exc.format_message())
-
-    def test_delete_policy_rbac_change_to_default_action_rule(self):
-        """Test to verify the correct action is being enforced. When the
-           rule configured for the deprecated action is the same as the
-           default, the new action should be enforced.
-        """
-
-        default_flavor_policy = "os_compute_api:os-flavor-manage"
-        create_flavor_policy = "os_compute_api:os-flavor-manage:create"
-        delete_flavor_policy = "os_compute_api:os-flavor-manage:delete"
-        # The default rule of the deprecated action is admin_api
-        # Set the rule of the create flavor action to is_admin:True so that
-        # admin context can be used to create a flavor
-        rules = {default_flavor_policy: 'rule:admin_api',
-                 create_flavor_policy: 'is_admin:True',
-                 delete_flavor_policy: 'rule:%s' % default_flavor_policy}
-        self.policy.set_rules(rules)
-        body = {
-            "flavor": {
-                "name": "azAZ09. -_",
-                "ram": 512,
-                "vcpus": 2,
-                "disk": 1,
-                "OS-FLV-EXT-DATA:ephemeral": 1,
-                "id": six.text_type('1234'),
-                "swap": 512,
-                "rxtx_factor": 1,
-                "os-flavor-access:is_public": True,
-            }
-        }
-        flavor = self.controller._create(self.adm_req, body=body)
-        exc = self.assertRaises(exception.PolicyNotAuthorized,
-                                self.controller._delete, self.req,
-                                flavor['flavor']['id'])
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % delete_flavor_policy,
-            exc.format_message())
-
     def test_flavor_update_non_admin_fails(self):
         """Tests that trying to update a flavor as a non-admin fails due
         to the default policy.

nova/tests/unit/fake_policy.py

@@ -44,7 +44,6 @@ policy_data = """
     "os_compute_api:os-flavor-access:add_tenant_access": "",
     "os_compute_api:os-flavor-extra-specs:index": "",
     "os_compute_api:os-flavor-extra-specs:show": "",
-    "os_compute_api:os-flavor-manage": "",
     "os_compute_api:os-flavor-manage:create": "",
     "os_compute_api:os-flavor-manage:delete": "",
     "os_compute_api:os-floating-ip-pools": "",

nova/tests/unit/test_policy.py

@@ -309,7 +309,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-flavor-extra-specs:create",
 "os_compute_api:os-flavor-extra-specs:update",
 "os_compute_api:os-flavor-extra-specs:delete",
-"os_compute_api:os-flavor-manage",
 "os_compute_api:os-flavor-manage:create",
 "os_compute_api:os-flavor-manage:update",
 "os_compute_api:os-flavor-manage:delete",

releasenotes/notes/remove-deprecated-os-flavor-manage-policy-138296853d957c5f.yaml

@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The ``os_compute_api:os-flavor-manage`` policy has been removed
+    because it has been deprecated since 16.0.0.
+    Use the following policies instead:
+
+    * ``os_compute_api:os-flavor-manage:create``
+    * ``os_compute_api:os-flavor-manage:delete``