openstack/cinder
Code Issues Proposed changes

api-ref: clarify retype docs around default policy permissions

Browse Source 
Cinder's default policy allows the owner of a volume to initiate
a retype, even if they aren't an admin. However, if the volume
is going to be migrated during the retype operation, then Cinder
is going to call the Nova swap volume API, which by default is
admin-only. So if a non-admin user tries to retype and migrate
their volume, which is attached to a server instance, then it's
going to fail with a 403 error from Nova.

En lieu of a more complete solution, like Cinder using an
elevated service token to call Nova, this change just attempts
to document the restriction in the API reference.

Change-Id: I6282a6d319beead979780a33880947987906c2f3
Related-Bug: #1698224
This commit is contained in:
Matt Riedemann 2017-06-15 18:19:46 -04:00
parent 9769c6c463
commit 622a0ff424
4 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
api-ref/source/v2/parameters.yaml
View File

@ -973,8 +973,13 @@ metadata_items:
type: integer
migration_policy:
description: |
Specify if make migration when retyping volume, the value is 'on-demand'
or 'never'.
Specify if the volume should be migrated when it is re-typed.
Possible values are ``on-demand`` or ``never``. If not specified, the
default is ``never``.
.. note:: If the volume is attached to a server instance and will be
migrated, then by default policy only users with the administrative role
should attempt the retype operation.
in: body
required: false
type: string

4
api-ref/source/v2/volumes-v2-volumes-actions.inc
View File

@ -315,6 +315,10 @@ Change type of existing volume. Specify the ``os-retype`` action in the request
Change the volume type of existing volume, Cinder may migrate the volume to
proper volume host according to the new volume type.
Policy defaults enable only users with the administrative role or the owner of
the volume to perform this operation. Cloud providers can change these
permissions through the policy.json file.
Normal response codes: 202

9
api-ref/source/v3/parameters.yaml
View File

@ -1187,8 +1187,13 @@ metadata_items:
type: integer
migration_policy:
description: |
Specify if make migration when retyping volume, the value is 'on-demand'
or 'never'.
Specify if the volume should be migrated when it is re-typed.
Possible values are ``on-demand`` or ``never``. If not specified, the
default is ``never``.
.. note:: If the volume is attached to a server instance and will be
migrated, then by default policy only users with the administrative role
should attempt the retype operation.
in: body
required: false
type: string

4
api-ref/source/v3/volumes-v3-volumes-actions.inc
View File

@ -312,6 +312,10 @@ Change type of existing volume. Specify the ``os-retype`` action in the request
Change the volume type of existing volume, Cinder may migrate the volume to
proper volume host according to the new volume type.
Policy defaults enable only users with the administrative role or the owner of
the volume to perform this operation. Cloud providers can change these
permissions through the policy.json file.
Normal response codes: 202