Fix image owner can't be changed issue in v2

It is incompatible with v1 for owner change in v2. Image owner
should be able to be changed, and only by admin user. This patch
fixes the issue and add some test cases for that.

Closes-Bug: #1420008

Change-Id: Ief9dc3329d7df07e1da32bb5ccc557096f73624f

glance/api/v2/images.py

@@ -183,6 +183,9 @@ class ImagesController(object):
         value = change['value']
         if path_root == 'locations':
             self._do_replace_locations(image, value)
+        elif path_root == 'owner' and req.context.is_admin == False:
+            msg = _("Owner can't be updated by non admin.")
+            raise webob.exc.HTTPForbidden(msg)
         else:
             if hasattr(image, path_root):
                 setattr(image, path_root, value)
@@ -323,7 +326,7 @@ class RequestDeserializer(wsgi.JSONRequestDeserializer):
     _readonly_properties = ('created_at', 'updated_at', 'status', 'checksum',
                             'size', 'virtual_size', 'direct_url', 'self',
                             'file', 'schema', 'id')
-    _reserved_properties = ('owner', 'location', 'deleted', 'deleted_at')
+    _reserved_properties = ('location', 'deleted', 'deleted_at')
     _base_properties = ('checksum', 'created_at', 'container_format',
                         'disk_format', 'id', 'min_disk', 'min_ram', 'name',
                         'size', 'virtual_size', 'status', 'tags',

glance/tests/unit/v2/test_images_resource.py

@@ -793,13 +793,23 @@ class TestImagesController(base.IsolatedUnitTest):
     def test_update_replace_base_attribute(self):
         self.db.image_update(None, UUID1, {'properties': {'foo': 'bar'}})
         request = unit_test_utils.get_fake_request()
-        changes = [{'op': 'replace', 'path': ['name'], 'value': 'fedora'}]
+        request.context.is_admin = True
+        changes = [{'op': 'replace', 'path': ['name'], 'value': 'fedora'},
+                   {'op': 'replace', 'path': ['owner'], 'value': TENANT3}]
         output = self.controller.update(request, UUID1, changes)
         self.assertEqual(UUID1, output.image_id)
         self.assertEqual('fedora', output.name)
+        self.assertEqual(TENANT3, output.owner)
         self.assertEqual({'foo': 'bar'}, output.extra_properties)
         self.assertNotEqual(output.created_at, output.updated_at)
 
+    def test_update_replace_onwer_non_admin(self):
+        request = unit_test_utils.get_fake_request()
+        request.context.is_admin = False
+        changes = [{'op': 'replace', 'path': ['owner'], 'value': TENANT3}]
+        self.assertRaises(webob.exc.HTTPForbidden,
+                          self.controller.update, request, UUID1, changes)
+
     def test_update_replace_tags(self):
         request = unit_test_utils.get_fake_request()
         changes = [
@@ -2455,7 +2465,6 @@ class TestImagesDeserializer(test_utils.BaseTestCase):
 
     def test_update_reserved_attributes(self):
         samples = {
-            'owner': TENANT1,
             'deleted': False,
             'deleted_at': ISOTIME,
         }