Fix os-create-backup policy to be admin_or_owner

os-create-backup API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/706726/

This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

[1] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/create_backup.py#L27
[2] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/create_backup.py#L50
[3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

Change-Id: I36cba4c6760f8f9faa5f3039cbb11ea1dc296f68
Closes-bug: #1862561

nova/api/openstack/compute/create_backup.py

@@ -47,7 +47,9 @@ class CreateBackupController(wsgi.Controller):
 
         """
         context = req.environ["nova.context"]
-        context.can(cb_policies.BASE_POLICY_NAME)
+        instance = common.get_instance(self.compute_api, context, id)
+        context.can(cb_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
         entity = body["createBackup"]
 
         image_name = common.normalize_name(entity["name"])
@@ -63,8 +65,6 @@ class CreateBackupController(wsgi.Controller):
             common.check_img_metadata_properties_quota(context, metadata)
         props.update(metadata)
 
-        instance = common.get_instance(self.compute_api, context, id)
-
         try:
             image = self.compute_api.backup(context, instance, image_name,
                     backup_type, rotation, extra_properties=props)

nova/tests/unit/api/openstack/compute/test_create_backup.py

@@ -340,8 +340,7 @@ class CreateBackupTestsV21(admin_only_action_common.CommonMixin,
         self.assertIn("Cannot 'createBackup' instance %(id)s"
                       % {'id': instance.uuid}, ex.explanation)
 
-    @mock.patch.object(common, 'check_img_metadata_properties_quota')
-    def test_create_backup_with_non_existed_instance(self, mock_check_image):
+    def test_create_backup_with_non_existed_instance(self):
         body_map = {
             'createBackup': {
                 'name': 'Backup 1',
@@ -355,7 +354,6 @@ class CreateBackupTestsV21(admin_only_action_common.CommonMixin,
         self.assertRaises(webob.exc.HTTPNotFound,
                           self.controller._create_backup,
                           self.req, uuid, body=body_map)
-        mock_check_image.assert_called_once_with(self.context, {})
 
     def test_create_backup_with_invalid_create_backup(self):
         body = {
@@ -404,6 +402,9 @@ class CreateBackupPolicyEnforcementv21(test.NoDBTestCase):
         super(CreateBackupPolicyEnforcementv21, self).setUp()
         self.controller = create_backup_v21.CreateBackupController()
         self.req = fakes.HTTPRequest.blank('')
+        patch_get = mock.patch.object(self.controller.compute_api, 'get')
+        self.mock_get = patch_get.start()
+        self.addCleanup(patch_get.stop)
 
     def test_create_backup_policy_failed(self):
         rule_name = "os_compute_api:os-create-backup"