Add create volume from image policy

When deploying Cinder as an SDS without Glance we have no way to prevent volume creation from images even when we know they will not succeed. This patch adds a specific policy so we can prevent this specific creation action from being accepted. By doing so the user will know immediately that this is not possible, instead of having to look through the logs to see that this is not an option. TrivialFix Change-Id: Iabc10a1927eea6419dd677a632cfc7d32dc08091
2017-01-30 12:56:26 +01:00 · 2017-01-30 12:56:26 +01:00 · c71d978bd6
commit c71d978bd6
parent 2db1f6bdef
3 changed files with 3 additions and 1 deletions
--- a/cinder/tests/unit/policy.json
+++ b/cinder/tests/unit/policy.json
@ -4,6 +4,7 @@
    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",

    "volume:create": "",
+    "volume:create_from_image": "",
    "volume:get": "rule:admin_or_owner",
    "volume:get_all": "",
    "volume:get_volume_metadata": "",
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@ -215,7 +215,7 @@ class API(base.Base):
               cgsnapshot=None, multiattach=False, source_cg=None,
               group=None, group_snapshot=None, source_group=None):

-        check_policy(context, 'create')
+        check_policy(context, 'create_from_image' if image_id else 'create')

        # NOTE(jdg): we can have a create without size if we're
        # doing a create from snap or volume.  Currently
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@ -5,6 +5,7 @@
    "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",

    "volume:create": "",
+    "volume:create_from_image": "",
    "volume:delete": "rule:admin_or_owner",
    "volume:force_delete": "rule:admin_api",
    "volume:get": "rule:admin_or_owner",