Implement system scoped RBAC for conductor APIs

This commit updates the policies for baremetal conductor policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.

Change-Id: I331f46092405ffd399ad45ba4ccb6dc7639051e5

ironic/common/policy.py

@@ -1150,13 +1150,30 @@ volume_policies = [
     ),
 ]
 
+
+deprecated_conductor_get = policy.DeprecatedRule(
+    name='baremetal:conductor:get',
+    check_str='rule:is_admin or rule:is_observer'
+)
+deprecated_conductor_reason = """
+The baremetal conductor API is now aware of system scope and default
+roles.
+"""
+
 conductor_policies = [
     policy.DocumentedRuleDefault(
-        'baremetal:conductor:get',
-        'rule:is_admin or rule:is_observer',
-        'Retrieve Conductor records',
-        [{'path': '/conductors', 'method': 'GET'},
-         {'path': '/conductors/{hostname}', 'method': 'GET'}]),
+        name='baremetal:conductor:get',
+        check_str=SYSTEM_READER,
+        scope_types=['system'],
+        description='Retrieve Conductor records',
+        operations=[
+            {'path': '/conductors', 'method': 'GET'},
+            {'path': '/conductors/{hostname}', 'method': 'GET'}
+        ],
+        deprecated_rule=deprecated_conductor_get,
+        deprecated_reason=deprecated_conductor_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
 ]
 
 allocation_policies = [

ironic/tests/unit/api/test_rbac_legacy.yaml

@@ -1842,37 +1842,42 @@ conductors_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 200
+  deprecated: true
 
 conductors_get_member:
   path: '/v1/conductors'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 conductors_get_observer:
   path: '/v1/conductors'
   method: get
   headers: *observer_headers
   assert_status: 200
-
+  deprecated: true
 
 conductors_hostname_get_admin:
   path: '/v1/conductors/{conductor_ident}'
   method: get
   headers: *admin_headers
   assert_status: 200
+  deprecated: true
 
 conductors_hostname_get_member:
   path: '/v1/conductors/{conductor_ident}'
   method: get
   headers: *member_headers
   assert_status: 403
+  deprecated: true
 
 conductors_hostname_get_observer:
   path: '/v1/conductors/{conductor_ident}'
   method: get
   headers: *observer_headers
   assert_status: 200
+  deprecated: true
 
 # Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
 

ironic/tests/unit/api/test_rbac_system_scoped.yaml

@@ -1601,43 +1601,36 @@ conductors_get_admin:
   method: get
   headers: *admin_headers
   assert_status: 200
-  skip_reason: not updated for scope testing
 
 conductors_get_member:
   path: '/v1/conductors'
   method: get
   headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 200
 
 conductors_get_observer:
   path: '/v1/conductors'
   method: get
   headers: *observer_headers
   assert_status: 200
-  skip_reason: not updated for scope testing
-
 
 conductors_hostname_get_admin:
   path: '/v1/conductors/{conductor_ident}'
   method: get
   headers: *admin_headers
   assert_status: 200
-  skip_reason: not updated for scope testing
 
 conductors_hostname_get_member:
   path: '/v1/conductors/{conductor_ident}'
   method: get
   headers: *scoped_member_headers
-  assert_status: 403
-  skip_reason: not updated for scope testing
+  assert_status: 200
 
 conductors_hostname_get_observer:
   path: '/v1/conductors/{conductor_ident}'
   method: get
   headers: *observer_headers
   assert_status: 200
-  skip_reason: not updated for scope testing
 
 # Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
 

releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml

@@ -4,7 +4,7 @@ features:
     The Baremetal API, provided by the ironic-api process, now supports use of
     ``system`` scoped ``keystone`` authentication for the following endpoints:
     nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
-    volume targets, volume connectors
+    volume targets, volume connectors, conductors
 upgrade:
   - |
     Deprecated policy rules are not expressed via a default policy file