Correct group:reset_group_snapshot_status policy

The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the
policy-in-code initiative in Queens [1].  Consensus at the Wallaby
R-18 mid-cycle was that this change was a mistake that should be
corrected [2].

[0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status
[1] https://review.opendev.org/c/openstack/cinder/+/507812
[2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies

Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39
Closes-bug: #1908315
(cherry picked from commit 1631742f43)
(cherry picked from commit 1941ecc6d4)
(cherry picked from commit 6c399a8b0d)
(cherry picked from commit f6d256cf1f)
(cherry picked from commit 83b4c1144c)
This commit is contained in:
Brian Rosmaita 2020-12-15 17:20:22 -05:00
parent 1d1ab08124
commit cdcf7b5f8b
2 changed files with 39 additions and 1 deletions

View File

@ -24,7 +24,7 @@ RESET_STATUS = 'group:reset_group_snapshot_status'
group_snapshot_actions_policies = [
policy.DocumentedRuleDefault(
name=RESET_STATUS,
check_str=base.RULE_ADMIN_OR_OWNER,
check_str=base.RULE_ADMIN_API,
description="Reset status of group snapshot.",
operations=[
{

View File

@ -0,0 +1,38 @@
---
upgrade:
- |
This release contains a fix for `Bug #1908315
<https://bugs.launchpad.net/cinder/+bug/1908315>`_, which changes the
default value of the policy governing the Block Storage API action
`Reset group snapshot status
<https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status>`_
to make the action administrator-only. This policy was inadvertently
changed to be admin-or-owner during the Queens development cycle.
The policy is named ``group:reset_group_snapshot_status``.
* If you have a custom value for this policy in your cinder policy
configuration file, this change to the default value will not affect
you.
* If you have been aware of this regression and like the current
(incorrect) behavior, you may add the following line to your cinder
policy configuration file to restore that behavior::
"group:reset_group_snapshot_status": "rule:admin_or_owner"
This setting is *not recommended* by the Cinder project team, as it
may allow end users to put a group snapshot into an invalid status with
indeterminate consequences.
For more information about the cinder policy configuration file, see the
`policy.yaml
<https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html>`_
section of the Cinder Configuration Guide.
fixes:
- |
`Bug #1908315 <https://bugs.launchpad.net/cinder/+bug/1908315>`_: Corrected
the default checkstring for the ``group:reset_group_snapshot_status``
policy to make it admin-only. This policy governs the Block Storage API
action `Reset group snapshot status
<https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status>`_,
which by default is supposed to be an adminstrator-only action.