review.fuel-infra Code Review - openstack-build/cinder-build.git/commit

author	Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
	Fri, 29 Jan 2016 17:48:33 +0000 (12:48 -0500)
committer	Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
	Thu, 10 Mar 2016 16:55:14 +0000 (11:55 -0500)
commit	4ccd1bd15100b7046e634323e55ad610ef52e0ab
tree	134204da638ffb8b992c5bdeac9e1b3b9c262059	tree \| snapshot
parent	b043410f3921c6f1246fd34ebb5fc26b62a6e427	commit \| diff

Permit volume type operations for policy authorized users

Currently, following volume type operations are not
permitted for non admin users because these db operations
require admin context.

* create
* update
* delete
* type-access-add
* type-access-remove

In order to allow a cloud operator to use the policy based
user access control for these operations, a context during
these operations should be elevated before db operations.

After applying this change, the cloud operator can manage
policy for volume type operations like this.

1. To permit volume type operations for specific user,
   add "storage_type_admin" role.

2. Add "admin_or_storage_type_admin" rule to policy.json.
   "admin_or_storage_type_admin":
       "is_admin:True or role:storage_type_admin",

3. Modify rule for types_manage.
   "volume_extension:types_manage":
       "rule:admin_or_storage_type_admin",

Change-Id: I1e91ad6573f78cfa35c36209944ea1d074a17604
Closes-Bug: #1538305

cinder/tests/unit/api/contrib/test_types_manage.py		diff \| blob \| history
cinder/tests/unit/test_volume_types.py		diff \| blob \| history
cinder/volume/volume_types.py		diff \| blob \| history
releasenotes/notes/permit_volume_type_operations-b2e130fd7088f335.yaml	[new file with mode: 0644]	blob