Merge "Finer access control in os-volume_attachments"

3 files changed, 22 insertions, 0 deletions

diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index 97ae89a38..1a446263f 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -83,6 +83,10 @@
     "compute_extension:virtual_interfaces": "",
     "compute_extension:virtual_storage_arrays": "",
     "compute_extension:volumes": "",
+    "compute_extension:volume_attachments:index": "",
+    "compute_extension:volume_attachments:show": "",
+    "compute_extension:volume_attachments:create": "",
+    "compute_extension:volume_attachments:delete": "",
     "compute_extension:volumetypes": "",
     "compute_extension:availability_zone:list": "",
     "compute_extension:availability_zone:detail": "rule:admin_api",
diff --git a/nova/api/openstack/compute/contrib/volumes.py b/nova/api/openstack/compute/contrib/volumes.py
index 47c717495..3fc503217 100644
--- a/nova/api/openstack/compute/contrib/volumes.py
+++ b/nova/api/openstack/compute/contrib/volumes.py
@@ -33,6 +33,15 @@ from nova import volume
 LOG = logging.getLogger(__name__)
 authorize = extensions.extension_authorizer('compute', 'volumes')
 
+authorize_attach_index = extensions.extension_authorizer('compute',
+                                                    'volume_attachments:index')
+authorize_attach_show = extensions.extension_authorizer('compute',
+                                                    'volume_attachments:show')
+authorize_attach_create = extensions.extension_authorizer('compute',
+                                                'volume_attachments:create')
+authorize_attach_delete = extensions.extension_authorizer('compute',
+                                                'volume_attachments:delete')
+
 
 def _translate_volume_detail_view(context, vol):
     """Maps keys for volumes details view."""
@@ -329,6 +338,8 @@ class VolumeAttachmentController(wsgi.Controller):
     @wsgi.serializers(xml=VolumeAttachmentsTemplate)
     def index(self, req, server_id):
         """Returns the list of volume attachments for a given instance."""
+        context = req.environ['nova.context']
+        authorize_attach_index(context)
         return self._items(req, server_id,
                            entity_maker=_translate_attachment_summary_view)
 
@@ -337,6 +348,7 @@ class VolumeAttachmentController(wsgi.Controller):
         """Return data about the given volume attachment."""
         context = req.environ['nova.context']
         authorize(context)
+        authorize_attach_show(context)
 
         volume_id = id
         try:
@@ -377,6 +389,7 @@ class VolumeAttachmentController(wsgi.Controller):
         """Attach a volume to an instance."""
         context = req.environ['nova.context']
         authorize(context)
+        authorize_attach_create(context)
 
         if not self.is_valid_body(body, 'volumeAttachment'):
             raise exc.HTTPUnprocessableEntity()
@@ -423,6 +436,7 @@ class VolumeAttachmentController(wsgi.Controller):
         """Detach a volume from an instance."""
         context = req.environ['nova.context']
         authorize(context)
+        authorize_attach_delete(context)
 
         volume_id = id
         LOG.audit(_("Detach volume %s"), volume_id, context=context)
diff --git a/nova/tests/fake_policy.py b/nova/tests/fake_policy.py
index dbf620196..ead43adea 100644
--- a/nova/tests/fake_policy.py
+++ b/nova/tests/fake_policy.py
@@ -157,6 +157,10 @@ policy_data = """
     "compute_extension:virtual_interfaces": "",
     "compute_extension:virtual_storage_arrays": "",
     "compute_extension:volumes": "",
+    "compute_extension:volume_attachments:index": "",
+    "compute_extension:volume_attachments:show": "",
+    "compute_extension:volume_attachments:create": "",
+    "compute_extension:volume_attachments:delete": "",
     "compute_extension:volumetypes": "",
     "compute_extension:zones": "",
     "compute_extension:availability_zone:list": "",