Comment 9 for bug 1714858

Reviewed: https://review.openstack.org/593675
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=76d3c644f3f5866a5c07f80b66132d81b8b57e78
Submitter: Zuul
Branch: stable/queens

commit 76d3c644f3f5866a5c07f80b66132d81b8b57e78
Author: TommyLike <email address hidden>
Date: Wed Feb 28 16:14:17 2018 +0000

    Add missing 'target_obj' when perform policy check

    Generally, we have to pass target object to ``authorize``
    when enforce policy check, but this is ignored during
    our develop and review process for a long time, and the
    potential issue is anyone can handle the target resource
    as ``authorize`` will always succeed if rule is defined
    ``admin_or_owner`` [1]. Luckily, for most of those APIs
    this security concern is protected by our database access
    code [2] that only project scope resource is allowed.

    However, there is one API that do have security issue when
    administrator change the rule into "admin_or_owner".

    1. "volume reset_status", which cinder will update the
    resource directly in the database, procedure to reproduce
    bug is described on the launchpad.

    This patch intends to correct most of cases which can be
    easily figured out in case of future code changes.

    [1]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/context.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n206
    [2]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/db/sqlalchemy/api.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n3058
    [3]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/api/contrib/admin_actions.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n161

    Conflicts:
        cinder/api/contrib/volume_image_metadata.py

    Partial-Bug: #1714858
    Change-Id: I351b3ddf8dfe29da8d854d4038d64ca7be17390f
    (cherry picked from commit 7391070474269dc247fc1d1f43520087a6a10267)
    Signed-off-by: Sean McGinnis <email address hidden>