4ccd1bd151
Currently, following volume type operations are not
permitted for non admin users because these db operations
require admin context.
* create
* update
* delete
* type-access-add
* type-access-remove
In order to allow a cloud operator to use the policy based
user access control for these operations, a context during
these operations should be elevated before db operations.
After applying this change, the cloud operator can manage
policy for volume type operations like this.
1. To permit volume type operations for specific user,
add "storage_type_admin" role.
2. Add "admin_or_storage_type_admin" rule to policy.json.
"admin_or_storage_type_admin":
"is_admin:True or role:storage_type_admin",
3. Modify rule for types_manage.
"volume_extension:types_manage":
"rule:admin_or_storage_type_admin",
Change-Id: I1e91ad6573f78cfa35c36209944ea1d074a17604
Closes-Bug: #1538305
15 lines
758 B
YAML
15 lines
758 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Enabled a cloud operator to correctly manage policy for
|
|
volume type operations. To permit volume type operations
|
|
for specific user, you can for example do as follows.
|
|
|
|
* Add ``storage_type_admin`` role.
|
|
* Add ``admin_or_storage_type_admin`` rule to ``policy.json``, e.g.
|
|
``"admin_or_storage_type_admin": "is_admin:True or role:storage_type_admin",``
|
|
* Modify rule for types_manage and volume_type_access, e.g.
|
|
``"volume_extension:types_manage": "rule:admin_or_storage_type_admin",
|
|
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_or_storage_type_admin",
|
|
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_or_storage_type_admin",``
|