Honor volume:get policy

The fix for bug 1356368 hard-coded a policy check (same as
rule:admin_or_owner) for volume:get.  While in most cases this is
what people want, it'd be good we honor policy setting.

Note that before commit 0505bb2689,
DB query volume_get() actually acted as the policy checker for
volume:get, and it raised VolumeNotFound if context.project_id didn't
match volume['project_id'].  The check_policy() in volume:get didn't
get a chance to raise PolicyNotAuthorized exception.  So in this
change we keep the same behavor.

Change-Id: If43cec5cce977b9220296709b4e243b35b06ecd5
Related-bug: #1356368
(cherry picked from commit d6d75f868d)

cinder/tests/policy.json

@@ -4,7 +4,7 @@
     "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],
 
     "volume:create": [],
-    "volume:get": [],
+    "volume:get": [["rule:admin_or_owner"]],
     "volume:get_all": [],
     "volume:get_volume_metadata": [],
     "volume:delete_volume_metadata": [],

cinder/volume/api.py

@@ -261,15 +261,19 @@ class API(base.Base):
         self.db.volume_update(context, volume['id'], fields)
 
     def get(self, context, volume_id, viewable_admin_meta=False):
+        old_ctxt = context.deepcopy()
         if viewable_admin_meta:
             ctxt = context.elevated()
         else:
             ctxt = context
         rv = self.db.volume_get(ctxt, volume_id)
         volume = dict(rv.iteritems())
-        if not context.is_admin and volume['project_id'] != context.project_id:
+        try:
+            check_policy(old_ctxt, 'get', volume)
+        except exception.PolicyNotAuthorized:
+            # raise VolumeNotFound instead to make sure Cinder behaves
+            # as it used to
             raise exception.VolumeNotFound(volume_id=volume_id)
-        check_policy(context, 'get', volume)
         return volume
 
     def get_all(self, context, marker=None, limit=None, sort_key='created_at',