From 7bd2950ad53603457f539d7afa54c710137313fc Mon Sep 17 00:00:00 2001 From: Gerald McBrearty Date: Mon, 24 Jul 2017 14:55:30 -0500 Subject: [PATCH] Make VolumeTypeExtraSpecsController policy more granular Change VolumeTypeExtraSpecsController to pass the action on authorize for create, delete, index, show, update. Change the policy files to include rules for types_extra_specs create, delete, index, show, update. This review adds a release note for the code change that merged with https://review.openstack.org/#/c/483037/ Closes-Bug: #1703933 Change-Id: I84983d9967579d4556b81ba705b5437ffdb53407 --- ...ype-extra-spec-policies-b7742b0ac2732864.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml diff --git a/releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml b/releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml new file mode 100644 index 00000000000..58b0a9860a8 --- /dev/null +++ b/releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + When managing volume types an OpenStack provider is now given more control to grant + access to for different storage type operations. The provider can now customize access + to type create, delete, update, list, and show using new entries in the cinder policy file. + + As an example one provider may have roles called viewer, admin, type_viewer, and say + type_admin. Admin and type_admin can create, delete, update types. Everyone can list + the storage types. Admin, type_viewer, and type_admin can view the extra_specs. + + "volume_extension:types_extra_specs:create": "rule:admin or rule:type_admin", + "volume_extension:types_extra_specs:delete": "rule:admin or rule:type_admin", + "volume_extension:types_extra_specs:index": "", + "volume_extension:types_extra_specs:show": "rule:admin or rule:type_admin or rule:type_viewer", + "volume_extension:types_extra_specs:update": "rule:admin or rule:type_admin"