Allow generic rules in context_is_admin rule in policy.

context_is_admin role is used by nova to check if
the current user is the admin. But it can only check
role rules. The fix allow generic rules in context_is_admin.

DocImpact

Fixes bug 1118142

Change-Id: Ib4823a67fe63d5356fc8c9280a2013b8855f5217

2 files changed, 7 insertions, 7 deletions

diff --git a/nova/context.py b/nova/context.py
index 8731e012d..60fd5b4c0 100644
--- a/nova/context.py
+++ b/nova/context.py
@@ -65,9 +65,6 @@ class RequestContext(object):
         self.user_id = user_id
         self.project_id = project_id
         self.roles = roles or []
-        self.is_admin = is_admin
-        if self.is_admin is None:
-            self.is_admin = policy.check_is_admin(self.roles)
         self.read_deleted = read_deleted
         self.remote_address = remote_address
         if not timestamp:
@@ -90,7 +87,9 @@ class RequestContext(object):
         self.quota_class = quota_class
         self.user_name = user_name
         self.project_name = project_name
-
+        self.is_admin = is_admin
+        if self.is_admin is None:
+            self.is_admin = policy.check_is_admin(self)
         if overwrite or not hasattr(local.store, 'context'):
             self.update_store()
 
diff --git a/nova/policy.py b/nova/policy.py
index 27e261eac..ac2f2e730 100644
--- a/nova/policy.py
+++ b/nova/policy.py
@@ -101,14 +101,15 @@ def enforce(context, action, target, do_raise=True):
     return policy.check(action, target, credentials, **extra)
 
 
-def check_is_admin(roles):
+def check_is_admin(context):
     """Whether or not roles contains 'admin' role according to policy setting.
 
     """
     init()
 
-    target = {}
-    credentials = {'roles': roles}
+    #the target is user-self
+    credentials = context.to_dict()
+    target = credentials
 
     return policy.check('context_is_admin', target, credentials)