Fix oslo policy DeprecatedRule warnings

Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.

[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538

Change-Id: Idbbc203c6ae65aee29f9463a4911bae2bb541f41

Author: gmaanos

lower-constraints.txt

@@ -76,7 +76,7 @@ oslo.i18n==5.0.1
 oslo.log==4.4.0
 oslo.messaging==10.3.0
 oslo.middleware==3.31.0
-oslo.policy==3.6.0
+oslo.policy==3.7.0
 oslo.privsep==2.4.0
 oslo.reports==1.18.0
 oslo.rootwrap==5.8.0

nova/policies/attach_interfaces.py

@@ -20,17 +20,20 @@
 
 BASE_POLICY_NAME = 'os_compute_api:os-attach-interfaces'
 POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s'
-DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule(
-    BASE_POLICY_NAME,
-    base.RULE_ADMIN_OR_OWNER,
-)
 
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
 capabilities. Old policies are deprecated and silently going to be ignored
 in nova 23.0.0 release.
 """
 
+DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule(
+    BASE_POLICY_NAME,
+    base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='21.0.0',
+)
+
 attach_interfaces_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'list',
@@ -43,9 +46,7 @@
             },
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_INTERFACES_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
         check_str=base.PROJECT_READER_OR_SYSTEM_READER,
@@ -57,9 +58,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_INTERFACES_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
         check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
@@ -71,9 +70,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_INTERFACES_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
         check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
@@ -85,9 +82,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_INTERFACES_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0')
+        deprecated_rule=DEPRECATED_INTERFACES_POLICY)
 ]
 
 

nova/policies/baremetal_nodes.py

@@ -21,17 +21,19 @@
 ROOT_POLICY = 'os_compute_api:os-baremetal-nodes'
 BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes:%s'
 
-DEPRECATED_BAREMETAL_POLICY = policy.DeprecatedRule(
-    ROOT_POLICY,
-    base.RULE_ADMIN_API,
-)
-
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
 capabilities. Old policies are deprecated and silently going to be ignored
 in nova 23.0.0 release.
 """
 
+DEPRECATED_BAREMETAL_POLICY = policy.DeprecatedRule(
+    ROOT_POLICY,
+    base.RULE_ADMIN_API,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='22.0.0'
+)
+
 
 baremetal_nodes_policies = [
     policy.DocumentedRuleDefault(
@@ -48,9 +50,7 @@
             }
         ],
         scope_types=['system'],
-        deprecated_rule=DEPRECATED_BAREMETAL_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_BAREMETAL_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
         check_str=base.SYSTEM_READER,
@@ -62,9 +62,7 @@
             }
         ],
         scope_types=['system'],
-        deprecated_rule=DEPRECATED_BAREMETAL_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0')
+        deprecated_rule=DEPRECATED_BAREMETAL_POLICY)
 ]
 
 

nova/policies/base.py

@@ -17,22 +17,26 @@
 RULE_ANY = '@'  # Any user is allowed to perform the action.
 RULE_NOBODY = '!'  # No users are allowed to perform the action.
 
+DEPRECATED_REASON = """
+Nova API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in nova 23.0.0 release.
+"""
+
 DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
     name=RULE_ADMIN_API,
     check_str='is_admin:True',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='21.0.0'
 )
 
 DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
     name=RULE_ADMIN_OR_OWNER,
     check_str='is_admin:True or project_id:%(project_id)s',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='21.0.0'
 )
 
-DEPRECATED_REASON = """
-Nova API policies are introducing new default roles with scope_type
-capabilities. Old policies are deprecated and silently going to be ignored
-in nova 23.0.0 release.
-"""
-
 # TODO(gmann): # Special string ``system_scope:all`` is added for system
 # scoped policies for backwards compatibility where ``nova.conf [oslo_policy]
 # enforce_scope = False``.
@@ -103,30 +107,22 @@
         name="system_admin_api",
         check_str='role:admin and system_scope:all',
         description="Default rule for System Admin APIs.",
-        deprecated_rule=DEPRECATED_ADMIN_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_ADMIN_POLICY),
     policy.RuleDefault(
         name="system_reader_api",
         check_str="role:reader and system_scope:all",
         description="Default rule for System level read only APIs.",
-        deprecated_rule=DEPRECATED_ADMIN_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_ADMIN_POLICY),
     policy.RuleDefault(
         "project_admin_api",
         "role:admin and project_id:%(project_id)s",
         "Default rule for Project level admin APIs.",
-        deprecated_rule=DEPRECATED_ADMIN_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_ADMIN_POLICY),
     policy.RuleDefault(
         "project_member_api",
         "role:member and project_id:%(project_id)s",
         "Default rule for Project level non admin APIs.",
-        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
     policy.RuleDefault(
         "project_reader_api",
         "role:reader and project_id:%(project_id)s",
@@ -135,16 +131,12 @@
         name="system_admin_or_owner",
         check_str="rule:system_admin_api or rule:project_member_api",
         description="Default rule for System admin+owner APIs.",
-        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
     policy.RuleDefault(
         "system_or_project_reader",
         "rule:system_reader_api or rule:project_reader_api",
         "Default rule for System+Project read only APIs.",
-        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0')
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
 ]
 
 

nova/policies/deferred_delete.py

@@ -20,17 +20,19 @@
 
 BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete:%s'
 
-DEPRECATED_POLICY = policy.DeprecatedRule(
-    'os_compute_api:os-deferred-delete',
-    base.RULE_ADMIN_OR_OWNER,
-)
-
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
 capabilities. Old policies are deprecated and silently going to be ignored
 in nova 23.0.0 release.
 """
 
+DEPRECATED_POLICY = policy.DeprecatedRule(
+    'os_compute_api:os-deferred-delete',
+    base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='21.0.0'
+)
+
 deferred_delete_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'restore',
@@ -43,9 +45,7 @@
             },
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force',
         check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
@@ -57,9 +57,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0')
+        deprecated_rule=DEPRECATED_POLICY)
 ]
 
 

nova/policies/flavor_access.py

@@ -29,17 +29,19 @@
 # SYSTEM_READER rule in base class is defined with the deprecated rule of admin
 # not admin or owner which is the main reason that we need to explicitly
 # deprecate this policy here.
-DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
-    BASE_POLICY_NAME,
-    base.RULE_ADMIN_OR_OWNER,
-)
-
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
 capabilities. Old policies are deprecated and silently going to be ignored
 in nova 23.0.0 release.
 """
 
+DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
+    BASE_POLICY_NAME,
+    base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='21.0.0'
+)
+
 flavor_access_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'add_tenant_access',
@@ -78,9 +80,7 @@
             },
         ],
         scope_types=['system'],
-        deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='21.0.0'),
+        deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY),
 ]
 
 

nova/policies/floating_ips.py

@@ -21,17 +21,19 @@
 ROOT_POLICY = 'os_compute_api:os-floating-ips'
 BASE_POLICY_NAME = 'os_compute_api:os-floating-ips:%s'
 
-DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
-    ROOT_POLICY,
-    base.RULE_ADMIN_OR_OWNER,
-)
-
 DEPRECATED_REASON = """
 Nova API policies are introducing new default roles with scope_type
 capabilities. Old policies are deprecated and silently going to be ignored
 in nova 23.0.0 release.
 """
 
+DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
+    ROOT_POLICY,
+    base.RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='22.0.0'
+)
+
 
 floating_ips_policies = [
     policy.DocumentedRuleDefault(
@@ -46,9 +48,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_FIP_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove',
         check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
@@ -61,9 +61,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_FIP_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
         check_str=base.PROJECT_READER_OR_SYSTEM_READER,
@@ -75,9 +73,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_FIP_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
         check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
@@ -89,9 +85,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_FIP_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
         check_str=base.PROJECT_READER_OR_SYSTEM_READER,
@@ -103,9 +97,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_FIP_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
         check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
@@ -117,9 +109,7 @@
             }
         ],
         scope_types=['system', 'project'],
-        deprecated_rule=DEPRECATED_FIP_POLICY,
-        deprecated_reason=DEPRECATED_REASON,
-        deprecated_since='22.0.0'),
+        deprecated_rule=DEPRECATED_FIP_POLICY),
 ]