From c71d978bd69e98a3b0f3d84fe545cd834a1edba3 Mon Sep 17 00:00:00 2001
From: Gorka Eguileor <geguileo@redhat.com>
Date: Mon, 30 Jan 2017 12:56:26 +0100
Subject: [PATCH] Add create volume from image policy

When deploying Cinder as an SDS without Glance we have no way to prevent
volume creation from images even when we know they will not succeed.

This patch adds a specific policy so we can prevent this specific
creation action from being accepted.  By doing so the user will know
immediately that this is not possible, instead of having to look through
the logs to see that this is not an option.

TrivialFix

Change-Id: Iabc10a1927eea6419dd677a632cfc7d32dc08091
---
 cinder/tests/unit/policy.json | 1 +
 cinder/volume/api.py          | 2 +-
 etc/cinder/policy.json        | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json
index 84f0841ea7e..db2cb448830 100644
--- a/cinder/tests/unit/policy.json
+++ b/cinder/tests/unit/policy.json
@@ -4,6 +4,7 @@
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
 
     "volume:create": "",
+    "volume:create_from_image": "",
     "volume:get": "rule:admin_or_owner",
     "volume:get_all": "",
     "volume:get_volume_metadata": "",
diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index 9bf7f91c4ed..ed2bb5fcfec 100644
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -215,7 +215,7 @@ class API(base.Base):
                cgsnapshot=None, multiattach=False, source_cg=None,
                group=None, group_snapshot=None, source_group=None):
 
-        check_policy(context, 'create')
+        check_policy(context, 'create_from_image' if image_id else 'create')
 
         # NOTE(jdg): we can have a create without size if we're
         # doing a create from snap or volume.  Currently
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 225257ff979..c38bfaba635 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -5,6 +5,7 @@
     "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
 
     "volume:create": "",
+    "volume:create_from_image": "",
     "volume:delete": "rule:admin_or_owner",
     "volume:force_delete": "rule:admin_api",
     "volume:get": "rule:admin_or_owner",