Add policy in code documentation for os-set_bootable API

This patchset adds policy in code documentation for the os-set_bootable API action, which does not directly [0] enforce any policy. However, it does internally call volume update API via self.volumes_api.update() [1] which in turn enforces the update policy [2]. Thus os-set_bootable indirectly enforces this policy. This is a unique case where an API doesn't enforce something directly, yet where policy still matters for the API to pass successfully. [0] 52deeff8d2/cinder/api/contrib/volume_actions.py (L310) [1] 52deeff8d2/cinder/api/contrib/volume_actions.py (L321) [2] 52deeff8d2/cinder/volume/api.py (L535) Change-Id: I29d54fb391f4e9508d86fc93e84b4b02c1333da0
2018-07-04 02:11:05 -04:00 · 2018-07-04 02:11:05 -04:00 · 02eba89953
parent 1aa9231cb2
commit 02eba89953
1 changed files with 7 additions and 1 deletions
--- a/cinder/policies/volumes.py
+++ b/cinder/policies/volumes.py
@ -83,11 +83,17 @@ volumes_policies = [
    policy.DocumentedRuleDefault(
        name=UPDATE_POLICY,
        check_str=base.RULE_ADMIN_OR_OWNER,
-        description="Update volume.",
+        description="Update volume or update a volume's bootable status.",
        operations=[
            {
                'method': 'PUT',
                'path': '/volumes'
+            },
+            # The API below calls the volume update API internally, which in
+            # turn enforces the update policy.
+            {
+                'method': 'POST',
+                'path': '/volumes/{volume_id}/action (os-set_bootable)'
            }
        ]),
    policy.DocumentedRuleDefault(