Few correction in the server filter/sort spec
server filter/sort spec (add-whitelist-for-server-list-filter-sort-parameters.rst) is implemented in ocata but there are 'all_tenants' behavior and policy changes mentioned in this spec which actually did not get implemented. Those proposed changes were rediscussed in API meeting [1] to implement in a different way [2] which again not completed yet. There was no consensus on direction that time and need more broad discussion to make 'all_tenants' bits as better UX. But anyways we should cleanup the implemented spec with things not yet done. Otherwise people might get wrong impressions about 'all_tenants' changes. This commit does the below change to server filter/sort spec: 1. Some valid params which are implemented in schema but missing in spec's whitelist: - Add 'created_at' and 'changes-since' in filter params list - Add 'created_at' and 'updated_at' in sort param list 2. Remove the 'all_tenants' proposed changes which are not implemented yet. We will further discuss/plan the 'all_tenants' proposal as fresh spec. .. 1 http://eavesdrop.openstack.org/meetings/nova_api/2017/nova_api.2017-01-25-13.00.log.html .. 2 https://review.openstack.org/#/c/426128/ https://review.openstack.org/#/c/425533/ Change-Id: Ibdcc5cae3b73c0aa0d3e0a785c827682df0483ca
This commit is contained in:
parent
2e4c05db96
commit
fb25b4c225
|
@ -59,28 +59,19 @@ The whitelist for REST API filters are ['user_id', 'project_id', 'tenant_id',
|
|||
'uuid', 'root_device_name', 'config_drive', 'access_ip_v4', 'access_ip_v6',
|
||||
'auto_disk_config', 'progress', 'sort_key', 'sort_dir', 'all_tenants',
|
||||
'deleted', 'limit', 'marker', 'status', 'ip', 'ip6', 'tag', 'not-tag',
|
||||
'tag-any', 'not-tag-any']
|
||||
'tag-any', 'not-tag-any', 'created_at', 'changes-since']
|
||||
|
||||
For the non-admin user, there have a whitelist for filters already [1]. That
|
||||
whitelist will be kept. In the future, we hope to have same list for the admin
|
||||
and non-admin users.
|
||||
|
||||
The policy 'os_compute_api:servers:detail:get_all_tenants' and
|
||||
'os_compute_api:servers:index:get_all_tenants' are deprecated. The default rule
|
||||
changes to '@'. In next release, it will be removed.
|
||||
|
||||
The new rule 'os_compute_api:servers:all_tenants_visible' is introduced
|
||||
instead. It is a soft enforcement rule. When the user can't pass the rule, the
|
||||
API still return successfully, but the user only can see his own instances. The
|
||||
default rule is `rule:admin_api`.
|
||||
|
||||
The whitelist for sorts are pretty similar with filters.
|
||||
['user_id', 'project_id', 'launch_index', 'image_ref', 'kernel_id',
|
||||
'ramdisk_id', 'hostname', 'key_name', 'power_state', 'vm_state', 'task_state',
|
||||
'host', 'node', 'instance_type_id', 'launched_at',
|
||||
'terminated_at', 'availability_zone', 'display_name', 'display_description',
|
||||
'locked_by', 'uuid', 'root_device_name', 'config_drive', 'access_ip_v4',
|
||||
'access_ip_v6', 'auto_disk_config', 'progress']
|
||||
'access_ip_v6', 'auto_disk_config', 'progress', 'created_at', 'updated_at']
|
||||
|
||||
The sorts whitelist compare to the filters, some parameters which aren't
|
||||
mapping to the API representation are removed, and tags filters, pagination
|
||||
|
@ -109,19 +100,6 @@ REST API impact
|
|||
attributes.
|
||||
* Few filters and sorts which aren't mapping to the REST API representaion
|
||||
will be ignored in all microversions.
|
||||
* The default behaviour of `all_tenants` changed. The new soft enforcement rule
|
||||
is instead of the hard enforcement rule. The API behavior is as below for
|
||||
a fresh install of Nova:
|
||||
|
||||
* For non-admin user, list servers with `all_tenants=True`, it will pass the
|
||||
old rule `os_compute_api:servers:index:get_all_tenants`, and fails the new
|
||||
rule `os_compute_api:servers:all_tenants_visible`. Then the API returns
|
||||
successfully, but the response is still only includes the user-owned
|
||||
instances.
|
||||
* For admin user, list servers with `all_tenants=True`, it will pass the old
|
||||
rule and the new rule. Then the API returns successfully, and the response
|
||||
will includes all the instances from all the tenants.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
@ -148,21 +126,7 @@ None
|
|||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
The new `os_compute_api:servers:all_tenants_visible` is introduced. The
|
||||
old rule `os_compute_api:servers:index:get_all_tenants` and
|
||||
`os_compute_api:servers:detail:get_all_tenants` is deprecated. The default
|
||||
of old rules are changed to '@' in Ocata. The old rule will be removed in the
|
||||
future.
|
||||
|
||||
For a fresh install of Nova, the API behaviour is just as the description
|
||||
in the `REST API impact`_ section.
|
||||
|
||||
For a upgrade of Nova from Newton, if the `policy.json` has an explicit setting
|
||||
which is the old default of admin-only or a custom rule. This overrides the
|
||||
default in code change to `@` for the old rules. The API behaviour will be same
|
||||
as before, when the request can't pass the old rule check, the API returns
|
||||
`HTTP Forbidden 403`.
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
|
Loading…
Reference in New Issue