Make VolumeTypeExtraSpecsController policy more granular

Change VolumeTypeExtraSpecsController to pass the action on authorize for create, delete, index, show, update. Change the policy files to include rules for types_extra_specs create, delete, index, show, update. This review adds a release note for the code change that merged with https://review.openstack.org/#/c/483037/ Closes-Bug: #1703933 Change-Id: I84983d9967579d4556b81ba705b5437ffdb53407
2017-07-24 14:55:30 -05:00 · 2017-07-24 14:55:30 -05:00 · 46d9b40911
parent 2e03e0953c
commit 46d9b40911
1 changed files with 16 additions and 0 deletions
--- a/releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml
+++ b/releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml
@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    When managing volume types an OpenStack provider is now given more control to grant
+    access to for different storage type operations. The provider can now customize access
+    to type create, delete, update, list, and show using new entries in the cinder policy file.
+
+    As an example one provider may have roles called viewer, admin, type_viewer, and say
+    type_admin. Admin and type_admin can create, delete, update types. Everyone can list
+    the storage types. Admin, type_viewer, and type_admin can view the extra_specs.
+
+    "volume_extension:types_extra_specs:create": "rule:admin or rule:type_admin",
+    "volume_extension:types_extra_specs:delete": "rule:admin or rule:type_admin",
+    "volume_extension:types_extra_specs:index": "",
+    "volume_extension:types_extra_specs:show": "rule:admin or rule:type_admin or rule:type_viewer",
+    "volume_extension:types_extra_specs:update": "rule:admin or rule:type_admin"