Simplify policy.json

Ironic's policy code was recently refactored.  As part of that work,
a new 'trusted_call' rule was added to policy.json that allows
granting/denying access to public APIs.  This is problematic, though,
as public access to public API routes now depends on specific rules
being configured in policy.json, and this creates an issue for upgrading.
Users who attempt to use new code with juno's policy.json and keystone
auth will find public API access is denied.

This reverts the API policy hook to always allow access to
public API endpoitns by default. Doing so allows policy.json
to be simplified considerably and keeps public endpoints
backward compatible with Juno's default policy.

Closes-bug: 1408808

Change-Id: Idedae868dbdd717a6e064edd398fa65f8725d0c0

etc/ironic/policy.json

@@ -1,6 +1,4 @@
 {
     "admin_api": "role:admin or role:administrator",
-    "public_api": "is_public_api:True",
-    "trusted_call": "rule:admin_api or rule:public_api",
-    "default": "rule:trusted_call"
+    "default": "rule:admin_api"
 }

ironic/api/hooks.py

@@ -106,7 +106,9 @@ class TrustedCallHook(hooks.PecanHook):
     """
     def before(self, state):
         ctx = state.request.context
-        policy.enforce('trusted_call', ctx.to_dict(), ctx.to_dict(),
+        if ctx.is_public_api:
+            return
+        policy.enforce('admin_api', ctx.to_dict(), ctx.to_dict(),
                        do_raise=True, exc=exc.HTTPForbidden)