From f17ebebcf76bafb8250e84227dd244f520904072 Mon Sep 17 00:00:00 2001
From: David McNally <dave.mcnally@hp.com>
Date: Wed, 24 Oct 2012 16:39:29 +0100
Subject: Ability to specify a host restricted to admin.

Fixes bug 1070880

There is functionality in place, which uses the
format "az:host" on the --availability_zone
parameter to a create request to force scheduling
of an instance onto a specific host. However,
this is limited to users with Admin context.

This fix alters this behaviour to use a specific
policy action allowing fine-grained control over
which users have access to this functionality.

Change-Id: Ibb0e43492dfa2699ab26318736ca55a60b7b4468
---
 nova/compute/api.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'nova/compute')

diff --git a/nova/compute/api.py b/nova/compute/api.py
index 601b75e86..a6ae08ec8 100644
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@@ -499,7 +499,8 @@ class API(base.Base):
             LOG.debug(_("Going to run %s instances...") % num_instances)
 
             filter_properties = dict(scheduler_hints=scheduler_hints)
-            if context.is_admin and forced_host:
+            if forced_host:
+                check_policy(context, 'create:forced_host', {})
                 filter_properties['force_hosts'] = [forced_host]
 
             for i in xrange(num_instances):
-- 
cgit