From: Zhiteng Huang <zhithuang@ebaysf.com>
Date: Tue, 19 Aug 2014 14:27:26 +0000 (+0800)
Subject: Honor volume:get policy
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=d6d75f868d5da77c2c8e20d0562555a14a6f91ec;p=openstack-build%2Fcinder-build.git

Honor volume:get policy

The fix for bug 1356368 hard-coded a policy check (same as
rule:admin_or_owner) for volume:get.  While in most cases this is
what people want, it'd be good we honor policy setting.

Note that before commit 0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04,
DB query volume_get() actually acted as the policy checker for
volume:get, and it raised VolumeNotFound if context.project_id didn't
match volume['project_id'].  The check_policy() in volume:get didn't
get a chance to raise PolicyNotAuthorized exception.  So in this
change we keep the same behavor.

Change-Id: If43cec5cce977b9220296709b4e243b35b06ecd5
Related-bug: #1356368
---

diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json
index e615dc922..413be34f7 100644
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@@ -4,7 +4,7 @@
     "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],
 
     "volume:create": [],
-    "volume:get": [],
+    "volume:get": [["rule:admin_or_owner"]],
     "volume:get_all": [],
     "volume:get_volume_metadata": [],
     "volume:delete_volume_metadata": [],
diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index a30333701..11ef072ee 100644
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -282,15 +282,19 @@ class API(base.Base):
         self.db.volume_update(context, volume['id'], fields)
 
     def get(self, context, volume_id, viewable_admin_meta=False):
+        old_ctxt = context.deepcopy()
         if viewable_admin_meta:
             ctxt = context.elevated()
         else:
             ctxt = context
         rv = self.db.volume_get(ctxt, volume_id)
         volume = dict(rv.iteritems())
-        if not context.is_admin and volume['project_id'] != context.project_id:
+        try:
+            check_policy(old_ctxt, 'get', volume)
+        except exception.PolicyNotAuthorized:
+            # raise VolumeNotFound instead to make sure Cinder behaves
+            # as it used to
             raise exception.VolumeNotFound(volume_id=volume_id)
-        check_policy(context, 'get', volume)
         return volume
 
     def get_all(self, context, marker=None, limit=None, sort_key='created_at',