Merge "Update access control of show under hostAPI"

cinder/api/contrib/hosts.py

@@ -146,9 +146,7 @@ class HostController(wsgi.Controller):
         """
         host = id
         context = req.environ['cinder.context']
-        if not context.is_admin:
+        context.authorize(policy.MANAGE_POLICY)
-            msg = _("Describe-resource is admin only functionality")
-            raise webob.exc.HTTPForbidden(explanation=msg)
 
         # Not found exception will be handled at the wsgi level
         host_ref = objects.Service.get_by_host_and_topic(

cinder/policies/hosts.py

@@ -24,7 +24,7 @@ hosts_policies = [
     policy.DocumentedRuleDefault(
         name=MANAGE_POLICY,
         check_str=base.RULE_ADMIN_API,
-        description="List or update hosts for a project.",
+        description="List, update or show hosts for a project.",
         operations=[
             {
                 'method': 'GET',
@@ -33,6 +33,10 @@ hosts_policies = [
             {
                 'method': 'PUT',
                 'path': '/os-hosts/{host_name}'
+            },
+            {
+                'method': 'GET',
+                'path': '/os-hosts/{host_id}'
             }
         ])
 ]

cinder/tests/unit/api/contrib/test_hosts.py

@@ -214,7 +214,7 @@ class HostTestCase(test.TestCase):
     def test_show_forbidden(self):
         self.req.environ['cinder.context'].is_admin = False
         dest = 'dummydest'
-        self.assertRaises(webob.exc.HTTPForbidden,
+        self.assertRaises(exception.PolicyNotAuthorized,
                           self.controller.show,
                           self.req, dest)
         self.req.environ['cinder.context'].is_admin = True