From da0ea57d7e9b8254a877009e77f412684cce3754 Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Mon, 10 Oct 2016 13:41:52 -0400
Subject: [PATCH] Admin API policy enforcement contingent on is_admin_project

In order for a user with the admin role to be able to perform
administrative actions, the role must be assigned to a project
that is deemed the "admin" project in the Keystone server. This
prevents someone being assigned admin on some random project
from being admin everywhere.

Change-Id: Ic4294cc1746702c345259c64bad1e20675a7d9ab
Closes-Bug: 968696
---
 etc/cinder/policy.json | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 88183720517..7bb9cb164a7 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -1,9 +1,8 @@
 {
-    "context_is_admin": "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
+    "admin_or_owner":  "is_admin:True or (role:admin and is_admin_project:True) or  project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
 
-    "admin_api": "is_admin:True",
+    "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
 
     "volume:create": "",
     "volume:delete": "rule:admin_or_owner",