4ccd1bd151
Currently, following volume type operations are not permitted for non admin users because these db operations require admin context. * create * update * delete * type-access-add * type-access-remove In order to allow a cloud operator to use the policy based user access control for these operations, a context during these operations should be elevated before db operations. After applying this change, the cloud operator can manage policy for volume type operations like this. 1. To permit volume type operations for specific user, add "storage_type_admin" role. 2. Add "admin_or_storage_type_admin" rule to policy.json. "admin_or_storage_type_admin": "is_admin:True or role:storage_type_admin", 3. Modify rule for types_manage. "volume_extension:types_manage": "rule:admin_or_storage_type_admin", Change-Id: I1e91ad6573f78cfa35c36209944ea1d074a17604 Closes-Bug: #1538305
15 lines
758 B
YAML
15 lines
758 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Enabled a cloud operator to correctly manage policy for
|
|
volume type operations. To permit volume type operations
|
|
for specific user, you can for example do as follows.
|
|
|
|
* Add ``storage_type_admin`` role.
|
|
* Add ``admin_or_storage_type_admin`` rule to ``policy.json``, e.g.
|
|
``"admin_or_storage_type_admin": "is_admin:True or role:storage_type_admin",``
|
|
* Modify rule for types_manage and volume_type_access, e.g.
|
|
``"volume_extension:types_manage": "rule:admin_or_storage_type_admin",
|
|
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_or_storage_type_admin",
|
|
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_or_storage_type_admin",``
|