From e44f0166560c56af0a724246edb9a4f32483e133 Mon Sep 17 00:00:00 2001
From: Ryosuke Mizuno <r-mizuno@rs.jp.nec.com>
Date: Fri, 2 Sep 2016 19:09:51 +0900
Subject: [PATCH] add more credentials information to check_is_admin

Currently, It can specify only user_id when checking admin.
Add more information for checking admin because it is not enough
in multi-domain configuration.

Change-Id: I5e3d6b88e8286b50bc0641163fadf27199fb4a55
closes-bug: 1619597
(cherry picked from commit eb6ed41a54f2495848ef965ba8bd57f2c40dcb56)
---
 cinder/policy.py | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/cinder/policy.py b/cinder/policy.py
index 551f11128..a2a097927 100644
--- a/cinder/policy.py
+++ b/cinder/policy.py
@@ -73,21 +73,16 @@ def enforce(context, action, target):
 def check_is_admin(roles, context=None):
     """Whether or not user is admin according to policy setting.
 
-       Can use roles or user_id from context to determine if user is admin.
-       In a multi-domain configuration, roles alone may not be sufficient.
     """
     init()
 
     # include project_id on target to avoid KeyError if context_is_admin
     # policy definition is missing, and default admin_or_owner rule
-    # attempts to apply.  Since our credentials dict does not include a
-    # project_id, this target can never match as a generic rule.
+    # attempts to apply.
     target = {'project_id': ''}
     if context is None:
         credentials = {'roles': roles}
     else:
-        credentials = {'roles': context.roles,
-                       'user_id': context.user_id
-                       }
+        credentials = context.to_dict()
 
     return _ENFORCER.enforce('context_is_admin', target, credentials)