Comment 6 for bug 1522705

Reviewed: https://review.openstack.org/299715
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f738483e843fc27379b85c5401859ccc854adc5e
Submitter: Jenkins
Branch: master

commit f738483e843fc27379b85c5401859ccc854adc5e
Author: Matt Riedemann <email address hidden>
Date: Wed Mar 30 22:07:47 2016 -0400

    Make swap-volume an admin-only API by default

    Cinder's volume migration API is, by default, an admin-only operation.
    This includes the migrate_volume_completion API.

    When Cinder is doing a volume migration, it calls Nova's swap-volume
    API to detach the old volume that we're migrating from and attach
    the volume that we're migrating to. Then Nova calls Cinder's
    migrate_volume_completion API to signal Nova is done and Cinder
    can finish the volume migration.

    The problem is that swap-volume is not an admin-only API in Nova
    per the default policy. So if a non-admin user tries to perform
    a swap-volume operation, it will fail with a 403 when calling
    Cinder's migrate_volume_completion API, since that requires an
    admin user.

    Also, because of 98739761f17b5e0b32abd8cd262f5beda030f886 we can't
    simply avoid calling migrate_volume_completion for non-migration
    cases because that API handles the actual detach/attach for the old
    and new volumes, swap-volume is broken without calling that.

    So given swap-volume relies on an admin-only Cinder API, and is called
    from an admin-only Cinder operation (volume migration), we should
    just make it default to admin-only also.

    Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
    Closes-Bug: #1522705