Merge "Make VolumeTypeExtraSpecsController policy more granular"

cinder/api/contrib/types_extra_specs.py

@@ -66,7 +66,7 @@ class VolumeTypeExtraSpecsController(wsgi.Controller):
     def index(self, req, type_id):
         """Returns the list of extra specs for a given volume type."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize(context, action="index")
         self._check_type(context, type_id)
         return self._get_extra_specs(context, type_id)
 
@@ -89,7 +89,7 @@ class VolumeTypeExtraSpecsController(wsgi.Controller):
 
     def create(self, req, type_id, body=None):
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize(context, action='create')
         self._allow_update(context, type_id)
 
         self.assert_valid_body(body, 'extra_specs')
@@ -114,7 +114,7 @@ class VolumeTypeExtraSpecsController(wsgi.Controller):
 
     def update(self, req, type_id, id, body=None):
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize(context, action='update')
         self._allow_update(context, type_id)
 
         if not body:
@@ -147,7 +147,7 @@ class VolumeTypeExtraSpecsController(wsgi.Controller):
     def show(self, req, type_id, id):
         """Return a single extra spec item."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize(context, action='show')
         self._check_type(context, type_id)
         specs = self._get_extra_specs(context, type_id)
         if id in specs['extra_specs']:
@@ -160,7 +160,7 @@ class VolumeTypeExtraSpecsController(wsgi.Controller):
         """Deletes an existing extra spec."""
         context = req.environ['cinder.context']
         self._check_type(context, type_id)
-        authorize(context)
+        authorize(context, action='delete')
         self._allow_update(context, type_id)
 
         # Not found exception will be handled at the wsgi level

cinder/tests/unit/policy.json

@@ -56,7 +56,11 @@
     "volume_extension:volume_actions:upload_image": "",
     "volume_extension:volume_actions:upload_public": "rule:admin_api",
     "volume_extension:types_manage": "",
-    "volume_extension:types_extra_specs": "",
+    "volume_extension:types_extra_specs:create": "",
+    "volume_extension:types_extra_specs:delete": "",
+    "volume_extension:types_extra_specs:index": "",
+    "volume_extension:types_extra_specs:show": "",
+    "volume_extension:types_extra_specs:update": "",
     "volume_extension:access_types_qos_specs_id": "rule:admin_api",
     "volume_extension:access_types_extra_specs": "rule:admin_api",
     "volume_extension:volume_type_access": "",

etc/cinder/policy.json

@@ -32,7 +32,11 @@
     "volume:revert_to_snapshot": "rule:admin_or_owner",
 
     "volume_extension:types_manage": "rule:admin_api",
-    "volume_extension:types_extra_specs": "rule:admin_api",
+    "volume_extension:types_extra_specs:create": "rule:admin_api",
+    "volume_extension:types_extra_specs:delete": "rule:admin_api",
+    "volume_extension:types_extra_specs:index": "rule:admin_api",
+    "volume_extension:types_extra_specs:show": "rule:admin_api",
+    "volume_extension:types_extra_specs:update": "rule:admin_api",
     "volume_extension:access_types_qos_specs_id": "rule:admin_api",
     "volume_extension:access_types_extra_specs": "rule:admin_api",
     "volume_extension:volume_type_access": "rule:admin_or_owner",