Add Cheesecake APIs to policy.json file

These replication v2.1 APIs are not enforced by the
cinder policy.json file. This patch adds policy and
the code to support applying this policy action.

  "volume:failover_host": "rule:admin_api",
  "volume:freeze_host": "rule:admin_api",
  "volume:thaw_host": "rule:admin_api",

Also these methods create a completely new context
instead of doing context.elevated(). It's better
to preserve the information that already there.

Change-Id: Ib577e902cda634ae2bd813edd9e39e022f23fde1
Closes-Bug: #1578722

cinder/tests/unit/policy.json

@@ -33,10 +33,9 @@
     "volume:update_readonly_flag": "",
     "volume:retype": "",
     "volume:copy_volume_to_image": "",
-    "volume:enable_replication": "rule:admin_api",
-    "volume:disable_replication": "rule:admin_api",
-    "volume:failover_replication": "rule:admin_api",
-    "volume:list_replication_targets": "rule:admin_api",
+    "volume:failover_host": "rule:admin_api",
+    "volume:freeze_host": "rule:admin_api",
+    "volume:thaw_host": "rule:admin_api",
     "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
     "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
     "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",

cinder/volume/api.py

@@ -1618,7 +1618,8 @@ class API(base.Base):
                       host,
                       secondary_id=None):
 
-        ctxt = context.get_admin_context()
+        check_policy(ctxt, 'failover_host')
+        ctxt = ctxt if ctxt.is_admin else ctxt.elevated()
         svc_host = volume_utils.extract_host(host, 'backend')
 
         service = objects.Service.get_by_args(
@@ -1639,7 +1640,8 @@ class API(base.Base):
 
     def freeze_host(self, ctxt, host):
 
-        ctxt = context.get_admin_context()
+        check_policy(ctxt, 'freeze_host')
+        ctxt = ctxt if ctxt.is_admin else ctxt.elevated()
         svc_host = volume_utils.extract_host(host, 'backend')
 
         service = objects.Service.get_by_args(
@@ -1659,7 +1661,8 @@ class API(base.Base):
 
     def thaw_host(self, ctxt, host):
 
-        ctxt = context.get_admin_context()
+        check_policy(ctxt, 'thaw_host')
+        ctxt = ctxt if ctxt.is_admin else ctxt.elevated()
         svc_host = volume_utils.extract_host(host, 'backend')
 
         service = objects.Service.get_by_args(

etc/cinder/policy.json

@@ -74,10 +74,9 @@
     "volume_extension:replication:promote": "rule:admin_api",
     "volume_extension:replication:reenable": "rule:admin_api",
 
-    "volume:enable_replication": "rule:admin_api",
-    "volume:disable_replication": "rule:admin_api",
-    "volume:failover_replication": "rule:admin_api",
-    "volume:list_replication_targets": "rule:admin_api",
+    "volume:failover_host": "rule:admin_api",
+    "volume:freeze_host": "rule:admin_api",
+    "volume:thaw_host": "rule:admin_api",
 
     "backup:create" : "",
     "backup:delete": "rule:admin_or_owner",