Add policy rule for get quotas

This introduces the missing policy customization capability for get
quotas API, so that policy rules for all quota APIs can be customized.

Also fix missing target project_id in policy evaluation.

Change-Id: I0e9a12670b8df448bed97448f8de9e3bbf207364

aodh/api/controllers/v2/quotas.py

@@ -48,10 +48,9 @@ class QuotasController(rest.RestController):
         """
         request_project = pecan.request.headers.get('X-Project-Id')
         project_id = project_id if project_id else request_project
-        is_admin = rbac.is_admin(pecan.request, pecan.request.enforcer)
+        rbac.enforce(
-
+            'get_quotas', pecan.request,
-        if project_id != request_project and not is_admin:
+            pecan.request.enforcer, {'project_id': project_id})
-            raise base.ProjectNotAuthorized(project_id)
 
         LOG.debug('Getting resource quotas for project %s', project_id)
 
@@ -68,12 +67,12 @@ class QuotasController(rest.RestController):
     @wsme_pecan.wsexpose(Quotas, body=Quotas, status_code=201)
     def post(self, body):
         """Create or update quota."""
-        rbac.enforce('update_quotas', pecan.request,
-                     pecan.request.enforcer, {})
-
         params = body.to_dict()
         project_id = params['project_id']
 
+        rbac.enforce('update_quotas', pecan.request,
+                     pecan.request.enforcer, {'project_id': project_id})
+
         input_quotas = []
         for i in params.get('quotas', []):
             input_quotas.append(i.to_dict())
@@ -87,5 +86,5 @@ class QuotasController(rest.RestController):
     def delete(self, project_id):
         """Delete quotas for the given project."""
         rbac.enforce('delete_quotas', pecan.request,
-                     pecan.request.enforcer, {})
+                     pecan.request.enforcer, {'project_id': project_id})
         pecan.request.storage.delete_quotas(project_id)

aodh/api/policies.py

@@ -96,6 +96,12 @@ deprecated_query_alarm_history = policy.DeprecatedRule(
     deprecated_reason=DEPRECATED_REASON,
     deprecated_since=versionutils.deprecated.WALLABY
 )
+deprecated_get_quotas = policy.DeprecatedRule(
+    name="telemetry:get_quotas",
+    check_str=RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='Epoxy'
+)
 deprecated_update_quotas = policy.DeprecatedRule(
     name="telemetry:update_quotas",
     check_str=RULE_CONTEXT_IS_ADMIN,
@@ -281,6 +287,23 @@ rules = [
         ],
         deprecated_rule=deprecated_query_alarm_history
     ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_quotas",
+        check_str=PROJECT_READER,
+        scope_types=['project'],
+        description='Get resources quotas for project.',
+        operations=[
+            {
+                'path': '/v2/quotas',
+                'method': 'Get'
+            },
+            {
+                'path': '/v2/quotas/{project_id}',
+                'method': 'Get'
+            }
+        ],
+        deprecated_rule=deprecated_get_quotas
+    ),
     policy.DocumentedRuleDefault(
         name="telemetry:update_quotas",
         check_str=PROJECT_ADMIN,

releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``telemetry::get_quotas`` policy has been added.