Add policy checking for transfer create/accept.

This patch adds policy checks for transfer create/accept
as well as adding the associated default policy.  In addition
we add the wrap in the volume/api accept_transfer method.

Fixes bug: 1187910

Change-Id: I599ac0a95cea1605380d4595a1f21023fbcfb6f1

diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json
index a2c226f4bfd52e7a50c4a4bb965ed9543b9b913c..d11c0139e1900746747ca8a8ceb44b19c87181a2 100644 (file)
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@@ -38,5 +38,11 @@
     "volume_extension:volume_image_metadata": [],
     "volume_extension:volume_host_attribute": [["rule:admin_api"]],
     "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
-    "volume_extension:hosts": [["rule:admin_api"]]
+    "volume_extension:hosts": [["rule:admin_api"]],
+
+    "volume:create_transfer": [],
+    "volume:accept_transfer": [],
+    "volume:delete_transfer": [],
+    "volume:get_all_transfers": []
+
 }

diff --git a/cinder/transfer/api.py b/cinder/transfer/api.py
index bdcfc2a8ce7d38130742e2143236e22773a2501d..db53468d99559c9598decc9ff5128f031d2568b1 100644 (file)
--- a/cinder/transfer/api.py
+++ b/cinder/transfer/api.py
@@ -60,6 +60,7 @@ class API(base.Base):
         """
         Make the RPC call to delete a volume transfer.
         """
+        volume_api.check_policy(context, 'delete_transfer')
         transfer = self.db.transfer_get(context, transfer_id)
 
         volume_ref = self.db.volume_get(context, transfer.volume_id)
@@ -69,6 +70,7 @@ class API(base.Base):
         self.db.transfer_destroy(context, transfer_id)
 
     def get_all(self, context, filters={}):
+        volume_api.check_policy(context, 'get_all_transfers')
         if context.is_admin and 'all_tenants' in filters:
             transfers = self.db.transfer_get_all(context)
         else:
@@ -93,6 +95,7 @@ class API(base.Base):
 
     def create(self, context, volume_id, display_name):
         """Creates an entry in the transfers table."""
+        volume_api.check_policy(context, 'create_transfer')
         LOG.info("Generating transfer record for volume %s" % volume_id)
         volume_ref = self.db.volume_get(context, volume_id)
         if volume_ref['status'] != "available":
@@ -125,6 +128,7 @@ class API(base.Base):
         """Accept a volume that has been offered for transfer."""
         # We must use an elevated context to see the volume that is still
         # owned by the donor.
+        volume_api.check_policy(context, 'accept_transfer')
         transfer = self.db.transfer_get(context.elevated(), transfer_id)
 
         crypt_hash = self._get_crypt_hash(transfer['salt'], auth_key)

diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index 05c22388c40ad701015b39e9a4a37ba820503aba..46296e53987462e5b3c828a5e4f82b44c3d3e06b 100644 (file)
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -518,6 +518,7 @@ class API(base.Base):
                                                        connector,
                                                        force)
 
+    @wrap_check_policy
     def accept_transfer(self, context, volume):
         return self.volume_rpcapi.accept_transfer(context,
                                                   volume)

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index f2bcc1b1c19b98bb87fd90054deb41139c2a4ad9..a6a805a3a202a05d703b3dcb98d5dabaa6740ac9 100644 (file)
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -29,5 +29,11 @@
     "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
     "volume_extension:hosts": [["rule:admin_api"]],
     "volume_extension:services": [["rule:admin_api"]],
-    "volume:services": [["rule:admin_api"]]
+    "volume:services": [["rule:admin_api"]],
+
+    "volume:create_transfer": [],
+    "volume:accept_transfer": [],
+    "volume:delete_transfer": [],
+    "volume:get_all_transfers": []
+
 }