fix: Remove invalid panko policy

1. remove invalid panko policy
2. remove install panko from post_install.sh
3. update policy

Change-Id: Icb23e4ff34ff47952294f711ddabd36cc9df706e

skyline_apiserver/policy/manager/ironic.py

@@ -92,28 +92,28 @@ list_rules = (
     base.APIRule(
         name="baremetal:node:get:last_error",
         check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
-        description="Governs if the node last_error field is masked from APIclients with insufficent privileges.",
+        description="Governs if the node last_error field is masked from API clients with insufficient privileges.",
         scope_types=["system", "project"],
         operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
     ),
     base.APIRule(
         name="baremetal:node:get:reservation",
         check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
-        description="Governs if the node reservation field is masked from APIclients with insufficent privileges.",
+        description="Governs if the node reservation field is masked from API clients with insufficient privileges.",
         scope_types=["system", "project"],
         operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
     ),
     base.APIRule(
         name="baremetal:node:get:driver_internal_info",
         check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
-        description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.",
+        description="Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.",
         scope_types=["system", "project"],
         operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
     ),
     base.APIRule(
         name="baremetal:node:get:driver_info",
         check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
-        description="Governs if the driver_info field is masked from APIclients with insufficent privileges.",
+        description="Governs if the driver_info field is masked from API clients with insufficient privileges.",
         scope_types=["system", "project"],
         operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
     ),
@@ -161,7 +161,7 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:update:driver_interfaces",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Governs if node driver and driver interfaces field can be updated via the API clients.",
         scope_types=["system", "project"],
         operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
@@ -210,7 +210,7 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:update_instance_info",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Update Node instance_info field",
         scope_types=["system", "project"],
         operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
@@ -231,35 +231,35 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:validate",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Request active validation of Nodes",
         scope_types=["system", "project"],
         operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
     ),
     base.APIRule(
         name="baremetal:node:set_maintenance",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Set maintenance flag, taking a Node out of service",
         scope_types=["system", "project"],
         operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
     ),
     base.APIRule(
         name="baremetal:node:clear_maintenance",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Clear maintenance flag, placing the Node into service again",
         scope_types=["system", "project"],
         operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
     ),
     base.APIRule(
         name="baremetal:node:get_boot_device",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Retrieve Node boot device metadata",
         scope_types=["system", "project"],
         operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
     ),
     base.APIRule(
         name="baremetal:node:set_boot_device",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Change Node boot device",
         scope_types=["system", "project"],
         operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
@@ -280,7 +280,7 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:inject_nmi",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Inject NMI for a node",
         scope_types=["system", "project"],
         operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
@@ -315,7 +315,7 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:set_provision_state",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Change Node provision status",
         scope_types=["system", "project"],
         operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
@@ -350,14 +350,14 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:vif:attach",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Attach a VIF to a node",
         scope_types=["system", "project"],
         operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
     ),
     base.APIRule(
         name="baremetal:node:vif:detach",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Detach a VIF from a node",
         scope_types=["system", "project"],
         operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
@@ -371,14 +371,14 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:node:traits:set",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Add a trait to, or replace all traits of, a node",
         scope_types=["system", "project"],
         operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
     ),
     base.APIRule(
         name="baremetal:node:traits:delete",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Remove one or all traits from a node",
         scope_types=["system", "project"],
         operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
@@ -427,21 +427,21 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:port:create",
-        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Create Port records",
         scope_types=["system", "project"],
         operations=[{"method": "POST", "path": "/ports"}],
     ),
     base.APIRule(
         name="baremetal:port:delete",
-        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Delete Port records",
         scope_types=["system", "project"],
         operations=[{"method": "DELETE", "path": "/ports/{port_id}"}],
     ),
     base.APIRule(
         name="baremetal:port:update",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Update Port records",
         scope_types=["system", "project"],
         operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
@@ -455,21 +455,21 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:portgroup:create",
-        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Create Portgroup records",
         scope_types=["system", "project"],
         operations=[{"method": "POST", "path": "/portgroups"}],
     ),
     base.APIRule(
         name="baremetal:portgroup:delete",
-        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Delete Portgroup records",
         scope_types=["system", "project"],
         operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}],
     ),
     base.APIRule(
         name="baremetal:portgroup:update",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
         description="Update Portgroup records",
         scope_types=["system", "project"],
         operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
@@ -588,21 +588,21 @@ list_rules = (
     ),
     base.APIRule(
         name="baremetal:volume:create",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Create Volume connector and target records",
         scope_types=["system", "project"],
         operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
     ),
     base.APIRule(
         name="baremetal:volume:delete",
-        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Delete Volume connector and target records",
         scope_types=["system", "project"],
         operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
     ),
     base.APIRule(
         name="baremetal:volume:update",
-        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
+        check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
         description="Update Volume connector and target records",
         scope_types=["system", "project"],
         operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],

skyline_apiserver/policy/manager/neutron.py

@@ -1104,6 +1104,34 @@ list_rules = (
         scope_types=["project"],
         operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}],
     ),
+    base.APIRule(
+        name="get_policy_packet_rate_limit_rule",
+        check_str=("role:reader and project_id:%(project_id)s"),
+        description="Get a QoS packet rate limit rule",
+        scope_types=["project"],
+        operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
+    ),
+    base.APIRule(
+        name="create_policy_packet_rate_limit_rule",
+        check_str=("role:admin and project_id:%(project_id)s"),
+        description="Create a QoS packet rate limit rule",
+        scope_types=["project"],
+        operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}],
+    ),
+    base.APIRule(
+        name="update_policy_packet_rate_limit_rule",
+        check_str=("role:admin and project_id:%(project_id)s"),
+        description="Update a QoS packet rate limit rule",
+        scope_types=["project"],
+        operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
+    ),
+    base.APIRule(
+        name="delete_policy_packet_rate_limit_rule",
+        check_str=("role:admin and project_id:%(project_id)s"),
+        description="Delete a QoS packet rate limit rule",
+        scope_types=["project"],
+        operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
+    ),
     base.APIRule(
         name="get_policy_dscp_marking_rule",
         check_str=("role:reader and project_id:%(project_id)s"),

skyline_apiserver/policy/manager/nova.py

@@ -1229,6 +1229,13 @@ list_rules = (
         scope_types=["project"],
         operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}],
     ),
+    base.APIRule(
+        name="os_compute_api:os-shelve:unshelve_to_host",
+        check_str=("rule:project_admin_api"),
+        description="Unshelve (restore) shelve offloaded server to a specific host",
+        scope_types=["project"],
+        operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}],
+    ),
     base.APIRule(
         name="os_compute_api:os-shelve:shelve_offload",
         check_str=("rule:project_admin_api"),

skyline_apiserver/policy/manager/panko.py

@@ -1,35 +0,0 @@
-# flake8: noqa
-# fmt: off
-
-from . import base
-
-list_rules = (
-    base.Rule(
-        name="context_is_admin",
-        check_str=("role:admin"),
-        description="No description",
-    ),
-    base.APIRule(
-        name="segregation",
-        check_str=("role:admin and system_scope:all"),
-        description="Return the user and project the requestshould be limited to",
-        scope_types=["system"],
-        operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}],
-    ),
-    base.APIRule(
-        name="telemetry:events:index",
-        check_str=(""),
-        description="Return all events matching the query filters.",
-        scope_types=["system", "project"],
-        operations=[{"method": "GET", "path": "/v2/events"}],
-    ),
-    base.APIRule(
-        name="telemetry:events:show",
-        check_str=(""),
-        description="Return a single event with the given message id.",
-        scope_types=["system", "project"],
-        operations=[{"method": "GET", "path": "/v2/events/{message_id}"}],
-    ),
-)
-
-__all__ = ("list_rules",)

tools/post_install.sh

@@ -2,10 +2,6 @@
 
 set -ex
 
-# Some projects have been DEPRECATED.
-# panko: https://opendev.org/openstack/panko
-INSTALL_DEPRECATED_PROJECTS="panko"
-
 INSTALL_PROJECTS="keystone \
     placement \
     nova \
@@ -27,8 +23,3 @@ for project in ${INSTALL_PROJECTS}
 do
     pip install -U git+https://opendev.org/openstack/${project}@${BRANCH}
 done
-
-for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS}
-do
-    pip install -U ${deprecated_project}
-done