Return 403 when policy engine denies action

* Fixes bug 956206

Change-Id: I0447a1a86fed2456c912395a0ab7d6e0aba03f66

glance/api/v1/images.py

@@ -29,7 +29,6 @@
                        HTTPConflict,
                        HTTPBadRequest,
                        HTTPForbidden,
-                       HTTPUnauthorized,
                        HTTPRequestEntityTooLarge,
                        HTTPServiceUnavailable,
                       )
@@ -104,7 +103,7 @@ def _enforce(self, req, action):
         try:
             self.policy.enforce(req.context, action, {})
         except exception.NotAuthorized:
-            raise HTTPUnauthorized()
+            raise HTTPForbidden()
 
     def index(self, req):
         """

glance/tests/unit/test_api.py

@@ -2194,7 +2194,7 @@ def test_add_image_unauthorized(self):
         req.headers['Content-Type'] = 'application/octet-stream'
         req.body = "chunk00000remainder"
         res = req.get_response(self.api)
-        self.assertEquals(res.status_int, 401)
+        self.assertEquals(res.status_int, 403)
 
     def _do_test_post_image_content_missing_format(self, missing):
         """Tests creation of an image with missing format"""
@@ -2563,14 +2563,14 @@ def test_get_images_detailed_unauthorized(self):
         self.set_policy_rules(rules)
         req = webob.Request.blank('/images/detail')
         res = req.get_response(self.api)
-        self.assertEquals(res.status_int, 401)
+        self.assertEquals(res.status_int, 403)
 
     def test_get_images_unauthorized(self):
         rules = {"get_images": [["false:false"]]}
         self.set_policy_rules(rules)
         req = webob.Request.blank('/images/detail')
         res = req.get_response(self.api)
-        self.assertEquals(res.status_int, 401)
+        self.assertEquals(res.status_int, 403)
 
     def test_store_location_not_revealed(self):
         """
@@ -2732,7 +2732,7 @@ def test_image_meta_unauthorized(self):
         req = webob.Request.blank("/images/%s" % UUID2)
         req.method = 'HEAD'
         res = req.get_response(self.api)
-        self.assertEquals(res.status_int, 401)
+        self.assertEquals(res.status_int, 403)
 
     def test_show_image_basic(self):
         req = webob.Request.blank("/images/%s" % UUID2)
@@ -2751,7 +2751,7 @@ def test_show_image_unauthorized(self):
         self.set_policy_rules(rules)
         req = webob.Request.blank("/images/%s" % UUID2)
         res = req.get_response(self.api)
-        self.assertEqual(res.status_int, 401)
+        self.assertEqual(res.status_int, 403)
 
     def test_delete_image(self):
         req = webob.Request.blank("/images/%s" % UUID2)
@@ -2833,7 +2833,7 @@ def test_delete_image_unauthorized(self):
         req = webob.Request.blank("/images/%s" % UUID2)
         req.method = 'DELETE'
         res = req.get_response(self.api)
-        self.assertEquals(res.status_int, 401)
+        self.assertEquals(res.status_int, 403)
 
     def test_get_details_invalid_marker(self):
         """