Previously, the services extension used generic authorization check
"volume_extension:services" for both index and update APIs.
This change creates separate rules for index and update APIs
so that it is possible to assign different rules to different users.
The sample /etc/cinder/policy.json is also updated to include new rules:
"volume_extension:services:index": "",
"volume_extension:services:update" : "rule:admin_api"
Change-Id: Ib57171f5011210861478590bbdfc30cce25e62b4
Closes-Bug: #
1471995
Closes-Bug: #
1471999
Filter by host & service name.
"""
context = req.environ['cinder.context']
- authorize(context)
+ authorize(context, action='index')
detailed = self.ext_mgr.is_loaded('os-extended-services')
now = timeutils.utcnow()
services = db.service_get_all(context)
def update(self, req, id, body):
"""Enable/Disable scheduling for a service."""
context = req.environ['cinder.context']
- authorize(context)
+ authorize(context, action='update')
ext_loaded = self.ext_mgr.is_loaded('os-extended-services')
ret_val = {}
"volume_extension:quotas:update": "",
"volume_extension:quotas:delete": "",
"volume_extension:quota_classes": "",
+ "volume_extension:services:index": "",
+ "volume_extension:services:update" : "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
- "volume_extension:services": "rule:admin_api",
+ "volume_extension:services:index": "",
+ "volume_extension:services:update" : "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
Code Review / openstack-build / cinder-build.git / commitdiff