Make swap-volume an admin-only API by default
Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.
When Cinder is doing a volume migration, it calls Nova's swap-volume
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_volume_completion API to signal Nova is done and Cinder
can finish the volume migration.
The problem is that swap-volume is not an admin-only API in Nova
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_volume_completion API, since that requires an
admin user.
Also, because of 98739761f1
we can't
simply avoid calling migrate_volume_completion for non-migration
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.
So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.
Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
Closes-Bug: #1522705
This commit is contained in:
parent
7c648c3bc1
commit
f738483e84
|
@ -498,13 +498,14 @@ driver-impl-libvirt-vz-ct=complete
|
|||
[operation.swap-volume]
|
||||
title=Swap block volumes
|
||||
status=optional
|
||||
notes=The swap volume operation is a mechanism for changing running
|
||||
notes=The swap volume operation is a mechanism for changing a running
|
||||
instance so that its attached volume(s) are backed by different
|
||||
storage in the host. An alternative to this would be to simply
|
||||
terminate the existing instance and spawn a new instance with the
|
||||
new storage. In other words this operation is primarily targeted towards
|
||||
the pet use case rather than cattle. Therefore this is considered
|
||||
optional to support.
|
||||
the pet use case rather than cattle, however, it is required for volume
|
||||
migration to work in the volume service. This is considered optional to
|
||||
support.
|
||||
cli=
|
||||
driver-impl-xenserver=missing
|
||||
driver-impl-libvirt-kvm-x86=complete
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
|
||||
"compute:attach_volume": "rule:admin_or_owner",
|
||||
"compute:detach_volume": "rule:admin_or_owner",
|
||||
"compute:swap_volume": "rule:admin_or_owner",
|
||||
"compute:swap_volume": "rule:admin_api",
|
||||
|
||||
"compute:attach_interface": "rule:admin_or_owner",
|
||||
"compute:detach_interface": "rule:admin_or_owner",
|
||||
|
@ -190,7 +190,7 @@
|
|||
"compute_extension:volume_attachments:index": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:show": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:create": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:update": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:update": "rule:admin_api",
|
||||
"compute_extension:volume_attachments:delete": "rule:admin_or_owner",
|
||||
"compute_extension:volumetypes": "rule:admin_or_owner",
|
||||
"compute_extension:availability_zone:list": "rule:admin_or_owner",
|
||||
|
@ -473,7 +473,7 @@
|
|||
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:update": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
|
||||
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:discoverable": "@",
|
||||
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
|
||||
|
|
|
@ -247,6 +247,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute:unlock_override",
|
||||
"compute:get_all_tenants",
|
||||
"compute:create:forced_host",
|
||||
"compute:swap_volume",
|
||||
"compute_extension:accounts",
|
||||
"compute_extension:admin_actions",
|
||||
"compute_extension:admin_actions:resetNetwork",
|
||||
|
@ -296,6 +297,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute_extension:os-assisted-volume-snapshots:delete",
|
||||
"compute_extension:console_auth_tokens",
|
||||
"compute_extension:os-server-external-events:create",
|
||||
"compute_extension:volume_attachments:update",
|
||||
"os_compute_api:servers:create:forced_host",
|
||||
"os_compute_api:servers:detail:get_all_tenants",
|
||||
"os_compute_api:servers:index:get_all_tenants",
|
||||
|
@ -364,6 +366,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-console-auth-tokens",
|
||||
"os_compute_api:os-quota-class-sets:update",
|
||||
"os_compute_api:os-server-external-events:create",
|
||||
"os_compute_api:os-volumes-attachments:update",
|
||||
"os_compute_api:servers:migrations:index",
|
||||
"os_compute_api:servers:migrations:show",
|
||||
)
|
||||
|
@ -456,7 +459,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute:set_admin_password",
|
||||
"compute:snapshot",
|
||||
"compute:suspend",
|
||||
"compute:swap_volume",
|
||||
"compute:unpause",
|
||||
"compute:unrescue",
|
||||
"compute:update",
|
||||
|
@ -528,7 +530,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute_extension:volume_attachments:index",
|
||||
"compute_extension:volume_attachments:show",
|
||||
"compute_extension:volume_attachments:create",
|
||||
"compute_extension:volume_attachments:update",
|
||||
"compute_extension:volume_attachments:delete",
|
||||
"compute_extension:volumetypes",
|
||||
"compute_extension:availability_zone:list",
|
||||
|
@ -617,7 +618,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-volumes-attachments:index",
|
||||
"os_compute_api:os-volumes-attachments:show",
|
||||
"os_compute_api:os-volumes-attachments:create",
|
||||
"os_compute_api:os-volumes-attachments:update",
|
||||
"os_compute_api:os-volumes-attachments:delete",
|
||||
"os_compute_api:os-availability-zone:list",
|
||||
)
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
upgrade:
|
||||
- The default policy for updating volume attachments, commonly referred to as
|
||||
swap volume, has been changed from ``rule:admin_or_owner`` to
|
||||
``rule:admin_api``. This is because it is called from the volume service
|
||||
when migrating volumes, which is an admin-only operation by default, and
|
||||
requires calling an admin-only API in the volume service upon completion.
|
||||
So by default it would not work for non-admins.
|
Loading…
Reference in New Issue