diff --git a/nova/api/openstack/compute/contrib/evacuate.py b/nova/api/openstack/compute/contrib/evacuate.py index 275cec9049f1..587e231d139e 100644 --- a/nova/api/openstack/compute/contrib/evacuate.py +++ b/nova/api/openstack/compute/contrib/evacuate.py @@ -39,9 +39,6 @@ class Controller(wsgi.Controller): to a new one. """ context = req.environ["nova.context"] - if not context.is_admin: - msg = _("Instance evacuate is admin only functionality") - raise exc.HTTPForbidden(explanation=msg) authorize(context) try: diff --git a/nova/tests/api/openstack/compute/contrib/test_evacuate.py b/nova/tests/api/openstack/compute/contrib/test_evacuate.py index 7aa02e53af46..816bac565ff0 100644 --- a/nova/tests/api/openstack/compute/contrib/test_evacuate.py +++ b/nova/tests/api/openstack/compute/contrib/test_evacuate.py @@ -180,3 +180,19 @@ class EvacuateTest(test.TestCase): res = req.get_response(app) self.assertEqual(res.status_int, 200) + + def test_not_admin(self): + ctxt = context.RequestContext('fake', 'fake', is_admin=False) + app = fakes.wsgi_app(fake_auth_context=ctxt) + uuid = self.UUID + req = webob.Request.blank('/v2/fake/servers/%s/action' % uuid) + req.method = 'POST' + req.body = jsonutils.dumps({ + 'evacuate': { + 'host': 'my_host', + 'onSharedStorage': 'True', + } + }) + req.content_type = 'application/json' + res = req.get_response(app) + self.assertEqual(res.status_int, 403) diff --git a/nova/tests/fake_policy.py b/nova/tests/fake_policy.py index 3f2d423f452c..1290ef80b7df 100644 --- a/nova/tests/fake_policy.py +++ b/nova/tests/fake_policy.py @@ -119,7 +119,7 @@ policy_data = """ "compute_extension:createserverext": "", "compute_extension:deferred_delete": "", "compute_extension:disk_config": "", - "compute_extension:evacuate": "", + "compute_extension:evacuate": "is_admin:True", "compute_extension:extended_server_attributes": "", "compute_extension:extended_status": "", "compute_extension:extended_availability_zone": "",