Make swap-volume an admin-only API by default

Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.

When Cinder is doing a volume migration, it calls Nova's swap-volume
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_volume_completion API to signal Nova is done and Cinder
can finish the volume migration.

The problem is that swap-volume is not an admin-only API in Nova
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_volume_completion API, since that requires an
admin user.

Also, because of 98739761f1 we can't
simply avoid calling migrate_volume_completion for non-migration
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.

So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.

Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
Closes-Bug: #1522705

doc/source/support-matrix.ini

@@ -498,13 +498,14 @@ driver-impl-libvirt-vz-ct=complete
 [operation.swap-volume]
 title=Swap block volumes
 status=optional
-notes=The swap volume operation is a mechanism for changing running
+notes=The swap volume operation is a mechanism for changing a running
   instance so that its attached volume(s) are backed by different
   storage in the host. An alternative to this would be to simply
   terminate the existing instance and spawn a new instance with the
   new storage. In other words this operation is primarily targeted towards
-  the pet use case rather than cattle. Therefore this is considered
-  optional to support.
+  the pet use case rather than cattle, however, it is required for volume
+  migration to work in the volume service. This is considered optional to
+  support.
 cli=
 driver-impl-xenserver=missing
 driver-impl-libvirt-kvm-x86=complete

etc/nova/policy.json

@@ -46,7 +46,7 @@
 
     "compute:attach_volume": "rule:admin_or_owner",
     "compute:detach_volume": "rule:admin_or_owner",
-    "compute:swap_volume": "rule:admin_or_owner",
+    "compute:swap_volume": "rule:admin_api",
 
     "compute:attach_interface": "rule:admin_or_owner",
     "compute:detach_interface": "rule:admin_or_owner",
@@ -190,7 +190,7 @@
     "compute_extension:volume_attachments:index": "rule:admin_or_owner",
     "compute_extension:volume_attachments:show": "rule:admin_or_owner",
     "compute_extension:volume_attachments:create": "rule:admin_or_owner",
-    "compute_extension:volume_attachments:update": "rule:admin_or_owner",
+    "compute_extension:volume_attachments:update": "rule:admin_api",
     "compute_extension:volume_attachments:delete": "rule:admin_or_owner",
     "compute_extension:volumetypes": "rule:admin_or_owner",
     "compute_extension:availability_zone:list": "rule:admin_or_owner",
@@ -473,7 +473,7 @@
     "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
     "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
     "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:update": "rule:admin_or_owner",
+    "os_compute_api:os-volumes-attachments:update": "rule:admin_api",
     "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
     "os_compute_api:os-volumes-attachments:discoverable": "@",
     "os_compute_api:os-availability-zone:list": "rule:admin_or_owner",

nova/tests/unit/test_policy.py

@@ -247,6 +247,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute:unlock_override",
 "compute:get_all_tenants",
 "compute:create:forced_host",
+"compute:swap_volume",
 "compute_extension:accounts",
 "compute_extension:admin_actions",
 "compute_extension:admin_actions:resetNetwork",
@@ -296,6 +297,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute_extension:os-assisted-volume-snapshots:delete",
 "compute_extension:console_auth_tokens",
 "compute_extension:os-server-external-events:create",
+"compute_extension:volume_attachments:update",
 "os_compute_api:servers:create:forced_host",
 "os_compute_api:servers:detail:get_all_tenants",
 "os_compute_api:servers:index:get_all_tenants",
@@ -364,6 +366,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-console-auth-tokens",
 "os_compute_api:os-quota-class-sets:update",
 "os_compute_api:os-server-external-events:create",
+"os_compute_api:os-volumes-attachments:update",
 "os_compute_api:servers:migrations:index",
 "os_compute_api:servers:migrations:show",
 )
@@ -456,7 +459,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute:set_admin_password",
 "compute:snapshot",
 "compute:suspend",
-"compute:swap_volume",
 "compute:unpause",
 "compute:unrescue",
 "compute:update",
@@ -528,7 +530,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute_extension:volume_attachments:index",
 "compute_extension:volume_attachments:show",
 "compute_extension:volume_attachments:create",
-"compute_extension:volume_attachments:update",
 "compute_extension:volume_attachments:delete",
 "compute_extension:volumetypes",
 "compute_extension:availability_zone:list",
@@ -617,7 +618,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-volumes-attachments:index",
 "os_compute_api:os-volumes-attachments:show",
 "os_compute_api:os-volumes-attachments:create",
-"os_compute_api:os-volumes-attachments:update",
 "os_compute_api:os-volumes-attachments:delete",
 "os_compute_api:os-availability-zone:list",
 )

releasenotes/notes/swap-volume-policy-9464e97aba12d1e0.yaml

@@ -0,0 +1,8 @@
+---
+upgrade:
+  - The default policy for updating volume attachments, commonly referred to as
+    swap volume, has been changed from ``rule:admin_or_owner`` to
+    ``rule:admin_api``. This is because it is called from the volume service
+    when migrating volumes, which is an admin-only operation by default, and
+    requires calling an admin-only API in the volume service upon completion.
+    So by default it would not work for non-admins.