Add create volume from image policy

When deploying Cinder as an SDS without Glance we have no way to prevent
volume creation from images even when we know they will not succeed.

This patch adds a specific policy so we can prevent this specific
creation action from being accepted.  By doing so the user will know
immediately that this is not possible, instead of having to look through
the logs to see that this is not an option.

TrivialFix

Change-Id: Iabc10a1927eea6419dd677a632cfc7d32dc08091

cinder/tests/unit/policy.json

@@ -4,6 +4,7 @@
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
 
     "volume:create": "",
+    "volume:create_from_image": "",
     "volume:get": "rule:admin_or_owner",
     "volume:get_all": "",
     "volume:get_volume_metadata": "",

cinder/volume/api.py

@@ -215,7 +215,7 @@ class API(base.Base):
                cgsnapshot=None, multiattach=False, source_cg=None,
                group=None, group_snapshot=None, source_group=None):
 
-        check_policy(context, 'create')
+        check_policy(context, 'create_from_image' if image_id else 'create')
 
         # NOTE(jdg): we can have a create without size if we're
         # doing a create from snap or volume.  Currently

etc/cinder/policy.json

@@ -5,6 +5,7 @@
     "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
 
     "volume:create": "",
+    "volume:create_from_image": "",
     "volume:delete": "rule:admin_or_owner",
     "volume:force_delete": "rule:admin_api",
     "volume:get": "rule:admin_or_owner",