Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.
When Cinder is doing a volume migration, it calls Nova's swap-volume
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_volume_completion API to signal Nova is done and Cinder
can finish the volume migration.
The problem is that swap-volume is not an admin-only API in Nova
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_volume_completion API, since that requires an
admin user.
Also, because of 98739761f1 we can't
simply avoid calling migrate_volume_completion for non-migration
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.
So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.
Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
Closes-Bug: #1522705
f738483e84