Fix os-console-output policy to be admin_or_owner

os-console-output API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/706724

This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

[1] 1fcd74730d/nova/policies/console_output.py (L27)
[2] 1fcd74730d/nova/api/openstack/compute/console_output.py (L41)
[3] c16315165c/nova/policy.py (L191)

Change-Id: I77759721138b9b4cc724895c8d15c1ccf2923995
Closes-bug: #1862558

nova/api/openstack/compute/console_output.py

@@ -38,9 +38,10 @@ class ConsoleOutputController(wsgi.Controller):
     def get_console_output(self, req, id, body):
         """Get text console output."""
         context = req.environ['nova.context']
-        context.can(co_policies.BASE_POLICY_NAME)
-
         instance = common.get_instance(self.compute_api, context, id)
+        context.can(co_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
+
         length = body['os-getConsoleOutput'].get('length')
         # TODO(cyeoh): In a future API update accept a length of -1
         # as meaning unlimited length (convert to None)

nova/tests/unit/api/openstack/compute/test_console_output.py

@@ -156,6 +156,7 @@ class ConsoleOutputPolicyEnforcementV21(test.NoDBTestCase):
     def setUp(self):
         super(ConsoleOutputPolicyEnforcementV21, self).setUp()
         self.controller = console_output_v21.ConsoleOutputController()
+        self.stub_out('nova.compute.api.API.get', fake_get)
 
     def test_get_console_output_policy_failed(self):
         rule_name = "os_compute_api:os-console-output"