cinder/doc/source/admin/blockstorage-user-visible-extra-specs.rst
Alan Bishop 0842127116 Implement user visible extra specs
The following volume type extra specs are now visible to regular
users (non-administrators):
- RESKEY:availability_zones
- multiattach
- replication_enabled

The list is defined in the code, and is not configurable.

Regular users may view these user visible specs, and use them as a
filter when listing volume types, but access is essentially read-only.
Only cloud administrators are authorized to create or modify extra
specs, including the user visible ones.

The feature works by relaxing a few policies that were previously
admin-only, and adds a new volume_extension:types_extra_specs:read_sensitive
policy that limits access to all other (non-user visible) specs so
that only cloud administrators can see them.

DocImpact

Implements: bp expose-user-visible-extra-specs
Change-Id: I5434ea4199cce8158b75771fb6127be001baf328
2021-09-02 09:16:13 -07:00

8.1 KiB

User visible extra specs

Starting in Xena, certain volume type extra specs (i.e. properties) are considered user visible, meaning their visibility is not restricted to only cloud administrators. This feature provides regular users with more information about the volume types available to them, and lets them make more informed decisions on which volume type to choose when creating volumes.

The following extra spec keys are treated as user visible:

  • RESKEY:availability_zones
  • multiattach
  • replication_enabled

Note

  • The set of user visible extra specs is a fixed list that is not configurable.
  • The feature is entirely policy based, and does not require a new microversion.

Behavior using openstack client

Consider the following volume type, as viewed from an administrator's perspective. In this example, multiattach is a user visible extra spec and volume_backend_name is not.

# Administrator behavior
[admin@host]$ openstack volume type show vol_type
+--------------------+-------------------------------------------------------+
| Field              | Value                                                 |
+--------------------+-------------------------------------------------------+
| access_project_ids | None                                                  |
| description        | None                                                  |
| id                 | d03a0f33-e695-4f5c-b712-7d92abbf72be                  |
| is_public          | True                                                  |
| name               | vol_type                                              |
| properties         | multiattach='<is> True', volume_backend_name='secret' |
| qos_specs_id       | None                                                  |
+--------------------+-------------------------------------------------------+

Here is the output when a regular user executes the same command. Notice only the user visible multiattach property is listed.

# Regular user behavior
[user@host]$ openstack volume type show vol_type
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| access_project_ids | None                                 |
| description        | None                                 |
| id                 | d03a0f33-e695-4f5c-b712-7d92abbf72be |
| is_public          | True                                 |
| name               | vol_type                             |
| properties         | multiattach='<is> True'              |
+--------------------+--------------------------------------+

The behavior for listing volume types is similar. Administrators will see all extra specs but regular users will see only user visible extra specs.

# Administrator behavior
[admin@host]$ openstack volume type list --long
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
| ID                                   | Name        | Is Public | Description         | Properties                                            |
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type    | True      | None                | multiattach='<is> True', volume_backend_name='secret' |
| 80f38273-f4b9-4862-a4e6-87692eb66a96 | __DEFAULT__ | True      | Default Volume Type |                                                       |
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+

# Regular user behavior
[user@host]$ openstack volume type list --long
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
| ID                                   | Name        | Is Public | Description         | Properties              |
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type    | True      | None                | multiattach='<is> True' |
| 80f38273-f4b9-4862-a4e6-87692eb66a96 | __DEFAULT__ | True      | Default Volume Type |                         |
+--------------------------------------+-------------+-----------+---------------------+-------------------------+

Regular users may view these properties, but they may not modify them. Attempts to modify a user visible property by a non-administrator will fail.

[user@host]$ openstack volume type set --property multiattach='<is> False' vol_type
Failed to set volume type property: Policy doesn't allow
volume_extension:types_extra_specs:create to be performed. (HTTP 403)

Filtering with extra specs

API microversion 3.52 adds support for using extra specs to filter the list of volume types. Regular users are able to use that feature to filter for user visible extra specs. If a regular user attempts to filter on a non-user visible extra spec then an empty list is returned.

# Administrator behavior
[admin@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"multiattach":"<is> True"}
+--------------------------------------+----------+-------------+-----------+
| ID                                   | Name     | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | -           | True      |
+--------------------------------------+----------+-------------+-----------+

[admin@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"volume_backend_name":"secret"}
+--------------------------------------+----------+-------------+-----------+
| ID                                   | Name     | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | -           | True      |
+--------------------------------------+----------+-------------+-----------+

# Regular user behavior
[user@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"multiattach":"<is> True"}
+--------------------------------------+----------+-------------+-----------+
| ID                                   | Name     | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | -           | True      |
+--------------------------------------+----------+-------------+-----------+

[user@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"volume_backend_name":"secret"}
+----+------+-------------+-----------+
| ID | Name | Description | Is_Public |
+----+------+-------------+-----------+
+----+------+-------------+-----------+

Security considerations

Cloud administrators who do not wish to expose any extra specs to regular users may restore the previous behavior by setting the following policies to their pre-Xena default values.

"volume_extension:access_types_extra_specs": "rule:admin_api"
"volume_extension:types_extra_specs:index": "rule:admin_api"
"volume_extension:types_extra_specs:show": "rule:admin_api"

To restrict regular users from using extra specs to filter the list of volume types, modify /etc/cinder/resource_filters.json to restore the "volume_type" entry to its pre-Xena default value.

"volume_type": ["is_public"]