diff --git a/hooks/nova_compute_hooks.py b/hooks/nova_compute_hooks.py index 94be738a..7e042275 100755 --- a/hooks/nova_compute_hooks.py +++ b/hooks/nova_compute_hooks.py @@ -353,12 +353,18 @@ def get_ceph_request(): rq.add_op_create_pool(name=name, replica_count=replicas, weight=weight, group='vms') if config('restrict-ceph-pools'): - rq.add_op_request_access_to_group(name="volumes", - permission='rwx') - rq.add_op_request_access_to_group(name="images", - permission='rwx') - rq.add_op_request_access_to_group(name="vms", - permission='rwx') + rq.add_op_request_access_to_group( + name="volumes", + object_prefix_permissions={'class-read': ['rbd_children']}, + permission='rwx') + rq.add_op_request_access_to_group( + name="images", + object_prefix_permissions={'class-read': ['rbd_children']}, + permission='rwx') + rq.add_op_request_access_to_group( + name="vms", + object_prefix_permissions={'class-read': ['rbd_children']}, + permission='rwx') return rq diff --git a/unit_tests/test_nova_compute_hooks.py b/unit_tests/test_nova_compute_hooks.py index c8ab8ff1..63a8c95b 100644 --- a/unit_tests/test_nova_compute_hooks.py +++ b/unit_tests/test_nova_compute_hooks.py @@ -509,9 +509,15 @@ class NovaComputeRelationsTests(CharmTestCase): weight=28, group='vms') mock_request_access.assert_has_calls([ - call(name='volumes', permission='rwx'), - call(name='images', permission='rwx'), - call(name='vms', permission='rwx'), + call(name='volumes', + object_prefix_permissions={'class-read': ['rbd_children']}, + permission='rwx'), + call(name='images', + object_prefix_permissions={'class-read': ['rbd_children']}, + permission='rwx'), + call(name='vms', + object_prefix_permissions={'class-read': ['rbd_children']}, + permission='rwx'), ]) @patch.object(hooks, 'service_restart_handler')