Added policy check for backup operations

This patch adds policy checks for operations in the backup extension
consisting of create, delete, restore, get and get_all.  It also adds
policies into the policy.json files in the tests and etc directories.

Fixes Bug: 1188386

Change-Id: I847640051c5d25cebf06b8658b27d4b82603d796

diff --git a/cinder/backup/api.py b/cinder/backup/api.py
index 1b5d1d49bd5754b9deb908a0aa39544fb6d5c3e3..725c7f854baa959159b5ea53d051f4e771467e15 100644 (file)
--- a/cinder/backup/api.py
+++ b/cinder/backup/api.py
@@ -24,6 +24,7 @@ from cinder.db import base
 from cinder import exception
 from cinder import flags
 from cinder.openstack.common import log as logging
+import cinder.policy
 import cinder.volume
 
 
@@ -32,6 +33,15 @@ FLAGS = flags.FLAGS
 LOG = logging.getLogger(__name__)
 
 
+def check_policy(context, action):
+        target = {
+            'project_id': context.project_id,
+            'user_id': context.user_id,
+        }
+        _action = 'backup:%s' % action
+        cinder.policy.enforce(context, _action, target)
+
+
 class API(base.Base):
     """API for interacting with the volume backup manager."""
 
@@ -41,6 +51,7 @@ class API(base.Base):
         super(API, self).__init__(db_driver)
 
     def get(self, context, backup_id):
+        check_policy(context, 'get')
         rv = self.db.backup_get(context, backup_id)
         return dict(rv.iteritems())
 
@@ -48,6 +59,7 @@ class API(base.Base):
         """
         Make the RPC call to delete a volume backup.
         """
+        check_policy(context, 'delete')
         backup = self.get(context, backup_id)
         if backup['status'] not in ['available', 'error']:
             msg = _('Backup status must be available or error')
@@ -60,6 +72,7 @@ class API(base.Base):
 
     # TODO(moorehef): Add support for search_opts, discarded atm
     def get_all(self, context, search_opts={}):
+        check_policy(context, 'get_all')
         if context.is_admin:
             backups = self.db.backup_get_all(context)
         else:
@@ -73,6 +86,7 @@ class API(base.Base):
         """
         Make the RPC call to create a volume backup.
         """
+        check_policy(context, 'create')
         volume = self.volume_api.get(context, volume_id)
         if volume['status'] != "available":
             msg = _('Volume to be backed up must be available')
@@ -107,6 +121,7 @@ class API(base.Base):
         """
         Make the RPC call to restore a volume backup.
         """
+        check_policy(context, 'restore')
         backup = self.get(context, backup_id)
         if backup['status'] != 'available':
             msg = _('Backup status must be available')

diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json
index d11c0139e1900746747ca8a8ceb44b19c87181a2..86ee69dc566e6e311230d2dbead5693d4d5f1a4a 100644 (file)
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@@ -43,6 +43,11 @@
     "volume:create_transfer": [],
     "volume:accept_transfer": [],
     "volume:delete_transfer": [],
-    "volume:get_all_transfers": []
-
+    "volume:get_all_transfers": [],
+    
+    "backup:create" : [],
+    "backup:delete": [],
+    "backup:get": [],
+    "backup:get_all": [],
+    "backup:restore": []
 }

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index a6a805a3a202a05d703b3dcb98d5dabaa6740ac9..63196f8de00d15a018b183088a266a1e61b6c9b3 100644 (file)
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -34,6 +34,12 @@
     "volume:create_transfer": [],
     "volume:accept_transfer": [],
     "volume:delete_transfer": [],
-    "volume:get_all_transfers": []
+    "volume:get_all_transfers": [],
+
+    "backup:create" : [],
+    "backup:delete": [],
+    "backup:get": [],
+    "backup:get_all": [],
+    "backup:restore": []
 
 }