Add policy checking for transfer create/accept.

This patch adds policy checks for transfer create/accept as well as adding the associated default policy. In addition we add the wrap in the volume/api accept_transfer method. Fixes bug: 1187910 Change-Id: I599ac0a95cea1605380d4595a1f21023fbcfb6f1
2013-06-05 13:57:29 -06:00
parent aa7fde57a3
commit db40ad11f1
4 changed files with 19 additions and 2 deletions
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@@ -38,5 +38,11 @@
    "volume_extension:volume_image_metadata": [],
    "volume_extension:volume_host_attribute": [["rule:admin_api"]],
    "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
-    "volume_extension:hosts": [["rule:admin_api"]]
+    "volume_extension:hosts": [["rule:admin_api"]],
+
+    "volume:create_transfer": [],
+    "volume:accept_transfer": [],
+    "volume:delete_transfer": [],
+    "volume:get_all_transfers": []
+
 }
--- a/cinder/transfer/api.py
+++ b/cinder/transfer/api.py
@@ -60,6 +60,7 @@ class API(base.Base):
        """
        Make the RPC call to delete a volume transfer.
        """
+        volume_api.check_policy(context, 'delete_transfer')
        transfer = self.db.transfer_get(context, transfer_id)

        volume_ref = self.db.volume_get(context, transfer.volume_id)
@@ -69,6 +70,7 @@ class API(base.Base):
        self.db.transfer_destroy(context, transfer_id)

    def get_all(self, context, filters={}):
+        volume_api.check_policy(context, 'get_all_transfers')
        if context.is_admin and 'all_tenants' in filters:
            transfers = self.db.transfer_get_all(context)
        else:
@@ -93,6 +95,7 @@ class API(base.Base):

    def create(self, context, volume_id, display_name):
        """Creates an entry in the transfers table."""
+        volume_api.check_policy(context, 'create_transfer')
        LOG.info("Generating transfer record for volume %s" % volume_id)
        volume_ref = self.db.volume_get(context, volume_id)
        if volume_ref['status'] != "available":
@@ -125,6 +128,7 @@ class API(base.Base):
        """Accept a volume that has been offered for transfer."""
        # We must use an elevated context to see the volume that is still
        # owned by the donor.
+        volume_api.check_policy(context, 'accept_transfer')
        transfer = self.db.transfer_get(context.elevated(), transfer_id)

        crypt_hash = self._get_crypt_hash(transfer['salt'], auth_key)
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -518,6 +518,7 @@ class API(base.Base):
                                                       connector,
                                                       force)

+    @wrap_check_policy
    def accept_transfer(self, context, volume):
        return self.volume_rpcapi.accept_transfer(context,
                                                  volume)
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -29,5 +29,11 @@
    "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
    "volume_extension:hosts": [["rule:admin_api"]],
    "volume_extension:services": [["rule:admin_api"]],
-    "volume:services": [["rule:admin_api"]]
+    "volume:services": [["rule:admin_api"]],
+
+    "volume:create_transfer": [],
+    "volume:accept_transfer": [],
+    "volume:delete_transfer": [],
+    "volume:get_all_transfers": []
+
 }