Merge "Honor volume:get policy"

2014-08-21 05:13:00 +00:00 · 2014-08-21 05:13:00 +00:00 · 13ba71df27
parent 058fcf6da8 d6d75f868d
commit 13ba71df27
2 changed files with 7 additions and 3 deletions
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@ -4,7 +4,7 @@
    "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],

    "volume:create": [],
-    "volume:get": [],
+    "volume:get": [["rule:admin_or_owner"]],
    "volume:get_all": [],
    "volume:get_volume_metadata": [],
    "volume:delete_volume_metadata": [],
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@ -282,15 +282,19 @@ class API(base.Base):
        self.db.volume_update(context, volume['id'], fields)

    def get(self, context, volume_id, viewable_admin_meta=False):
+        old_ctxt = context.deepcopy()
        if viewable_admin_meta:
            ctxt = context.elevated()
        else:
            ctxt = context
        rv = self.db.volume_get(ctxt, volume_id)
        volume = dict(rv.iteritems())
-        if not context.is_admin and volume['project_id'] != context.project_id:
+        try:
+            check_policy(old_ctxt, 'get', volume)
+        except exception.PolicyNotAuthorized:
+            # raise VolumeNotFound instead to make sure Cinder behaves
+            # as it used to
            raise exception.VolumeNotFound(volume_id=volume_id)
-        check_policy(context, 'get', volume)
        return volume

    def get_all(self, context, marker=None, limit=None, sort_key='created_at',