adds user_id to check_is_admin

A small tactical update to allow cinder to consider user_id
when checking for admin.

This is needed in the field until the larger changes around
admin scoping are completed. Checking for role only is not
sufficient in a multi-domain configuration.

juno-backport-potential
kilo-backport-potential

closes-bug: 968696

Change-Id: I0cb99186bd833c4c32964490c4bc6da9ad42d320

cinder/context.py

@@ -102,7 +102,7 @@ class RequestContext(context.RequestContext):
         # when policy.check_is_admin invokes request logging
         # to make it loggable.
         if self.is_admin is None:
-            self.is_admin = policy.check_is_admin(self.roles)
+            self.is_admin = policy.check_is_admin(self.roles, self)
         elif self.is_admin and 'admin' not in self.roles:
             self.roles.append('admin')
 

cinder/policy.py

@@ -70,9 +70,11 @@ def enforce(context, action, target):
                              action=action)
 
 
-def check_is_admin(roles):
-    """Whether or not roles contains 'admin' role according to policy setting.
+def check_is_admin(roles, context=None):
+    """Whether or not user is admin according to policy setting.
 
+       Can use roles or user_id from context to determine if user is admin.
+       In a multi-domain configuration, roles alone may not be sufficient.
     """
     init()
 
@@ -81,6 +83,11 @@ def check_is_admin(roles):
     # attempts to apply.  Since our credentials dict does not include a
     # project_id, this target can never match as a generic rule.
     target = {'project_id': ''}
-    credentials = {'roles': roles}
+    if context is None:
+        credentials = {'roles': roles}
+    else:
+        credentials = {'roles': context.roles,
+                       'user_id': context.user_id
+                       }
 
     return _ENFORCER.enforce('context_is_admin', target, credentials)