Merge "Make swap-volume an admin-only API by default"
This commit is contained in:
commit
a03fc2325c
|
@ -498,13 +498,14 @@ driver-impl-libvirt-vz-ct=complete
|
|||
[operation.swap-volume]
|
||||
title=Swap block volumes
|
||||
status=optional
|
||||
notes=The swap volume operation is a mechanism for changing running
|
||||
notes=The swap volume operation is a mechanism for changing a running
|
||||
instance so that its attached volume(s) are backed by different
|
||||
storage in the host. An alternative to this would be to simply
|
||||
terminate the existing instance and spawn a new instance with the
|
||||
new storage. In other words this operation is primarily targeted towards
|
||||
the pet use case rather than cattle. Therefore this is considered
|
||||
optional to support.
|
||||
the pet use case rather than cattle, however, it is required for volume
|
||||
migration to work in the volume service. This is considered optional to
|
||||
support.
|
||||
cli=
|
||||
driver-impl-xenserver=missing
|
||||
driver-impl-libvirt-kvm-x86=complete
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
|
||||
"compute:attach_volume": "rule:admin_or_owner",
|
||||
"compute:detach_volume": "rule:admin_or_owner",
|
||||
"compute:swap_volume": "rule:admin_or_owner",
|
||||
"compute:swap_volume": "rule:admin_api",
|
||||
|
||||
"compute:attach_interface": "rule:admin_or_owner",
|
||||
"compute:detach_interface": "rule:admin_or_owner",
|
||||
|
@ -190,7 +190,7 @@
|
|||
"compute_extension:volume_attachments:index": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:show": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:create": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:update": "rule:admin_or_owner",
|
||||
"compute_extension:volume_attachments:update": "rule:admin_api",
|
||||
"compute_extension:volume_attachments:delete": "rule:admin_or_owner",
|
||||
"compute_extension:volumetypes": "rule:admin_or_owner",
|
||||
"compute_extension:availability_zone:list": "rule:admin_or_owner",
|
||||
|
@ -479,7 +479,7 @@
|
|||
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:update": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
|
||||
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
|
||||
"os_compute_api:os-volumes-attachments:discoverable": "@",
|
||||
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
|
||||
|
|
|
@ -247,6 +247,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute:unlock_override",
|
||||
"compute:get_all_tenants",
|
||||
"compute:create:forced_host",
|
||||
"compute:swap_volume",
|
||||
"compute_extension:accounts",
|
||||
"compute_extension:admin_actions",
|
||||
"compute_extension:admin_actions:resetNetwork",
|
||||
|
@ -296,6 +297,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute_extension:os-assisted-volume-snapshots:delete",
|
||||
"compute_extension:console_auth_tokens",
|
||||
"compute_extension:os-server-external-events:create",
|
||||
"compute_extension:volume_attachments:update",
|
||||
"os_compute_api:servers:create:forced_host",
|
||||
"os_compute_api:servers:detail:get_all_tenants",
|
||||
"os_compute_api:servers:index:get_all_tenants",
|
||||
|
@ -364,6 +366,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-console-auth-tokens",
|
||||
"os_compute_api:os-quota-class-sets:update",
|
||||
"os_compute_api:os-server-external-events:create",
|
||||
"os_compute_api:os-volumes-attachments:update",
|
||||
"os_compute_api:servers:migrations:index",
|
||||
"os_compute_api:servers:migrations:show",
|
||||
)
|
||||
|
@ -456,7 +459,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute:set_admin_password",
|
||||
"compute:snapshot",
|
||||
"compute:suspend",
|
||||
"compute:swap_volume",
|
||||
"compute:unpause",
|
||||
"compute:unrescue",
|
||||
"compute:update",
|
||||
|
@ -528,7 +530,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"compute_extension:volume_attachments:index",
|
||||
"compute_extension:volume_attachments:show",
|
||||
"compute_extension:volume_attachments:create",
|
||||
"compute_extension:volume_attachments:update",
|
||||
"compute_extension:volume_attachments:delete",
|
||||
"compute_extension:volumetypes",
|
||||
"compute_extension:availability_zone:list",
|
||||
|
@ -617,7 +618,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-volumes-attachments:index",
|
||||
"os_compute_api:os-volumes-attachments:show",
|
||||
"os_compute_api:os-volumes-attachments:create",
|
||||
"os_compute_api:os-volumes-attachments:update",
|
||||
"os_compute_api:os-volumes-attachments:delete",
|
||||
"os_compute_api:os-availability-zone:list",
|
||||
)
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
upgrade:
|
||||
- The default policy for updating volume attachments, commonly referred to as
|
||||
swap volume, has been changed from ``rule:admin_or_owner`` to
|
||||
``rule:admin_api``. This is because it is called from the volume service
|
||||
when migrating volumes, which is an admin-only operation by default, and
|
||||
requires calling an admin-only API in the volume service upon completion.
|
||||
So by default it would not work for non-admins.
|
Loading…
Reference in New Issue