The following volume type extra specs are now visible to regular users (non-administrators): - RESKEY:availability_zones - multiattach - replication_enabled The list is defined in the code, and is not configurable. Regular users may view these user visible specs, and use them as a filter when listing volume types, but access is essentially read-only. Only cloud administrators are authorized to create or modify extra specs, including the user visible ones. The feature works by relaxing a few policies that were previously admin-only, and adds a new volume_extension:types_extra_specs:read_sensitive policy that limits access to all other (non-user visible) specs so that only cloud administrators can see them. DocImpact Implements: bp expose-user-visible-extra-specs Change-Id: I5434ea4199cce8158b75771fb6127be001baf328
8.1 KiB
User visible extra specs
Starting in Xena, certain volume type extra specs
(i.e.
properties) are considered user visible, meaning their visibility is not
restricted to only cloud administrators. This feature provides regular
users with more information about the volume types available to them,
and lets them make more informed decisions on which volume type to
choose when creating volumes.
The following extra spec
keys are treated as user
visible:
RESKEY:availability_zones
multiattach
replication_enabled
Note
- The set of user visible
extra specs
is a fixed list that is not configurable. - The feature is entirely policy based, and does not require a new microversion.
Behavior using openstack client
Consider the following volume type, as viewed from an administrator's
perspective. In this example, multiattach
is a user visible
extra spec
and volume_backend_name
is not.
# Administrator behavior
[admin@host]$ openstack volume type show vol_type
+--------------------+-------------------------------------------------------+
| Field | Value |
+--------------------+-------------------------------------------------------+
| access_project_ids | None |
| description | None |
| id | d03a0f33-e695-4f5c-b712-7d92abbf72be |
| is_public | True |
| name | vol_type |
| properties | multiattach='<is> True', volume_backend_name='secret' |
| qos_specs_id | None |
+--------------------+-------------------------------------------------------+
Here is the output when a regular user executes the same command.
Notice only the user visible multiattach
property is
listed.
# Regular user behavior
[user@host]$ openstack volume type show vol_type
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| access_project_ids | None |
| description | None |
| id | d03a0f33-e695-4f5c-b712-7d92abbf72be |
| is_public | True |
| name | vol_type |
| properties | multiattach='<is> True' |
+--------------------+--------------------------------------+
The behavior for listing volume types is similar. Administrators will
see all extra specs
but regular users will see only user
visible extra specs
.
# Administrator behavior
[admin@host]$ openstack volume type list --long
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
| ID | Name | Is Public | Description | Properties |
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | True | None | multiattach='<is> True', volume_backend_name='secret' |
| 80f38273-f4b9-4862-a4e6-87692eb66a96 | __DEFAULT__ | True | Default Volume Type | |
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
# Regular user behavior
[user@host]$ openstack volume type list --long
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
| ID | Name | Is Public | Description | Properties |
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | True | None | multiattach='<is> True' |
| 80f38273-f4b9-4862-a4e6-87692eb66a96 | __DEFAULT__ | True | Default Volume Type | |
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
Regular users may view these properties, but they may not modify them. Attempts to modify a user visible property by a non-administrator will fail.
[user@host]$ openstack volume type set --property multiattach='<is> False' vol_type
Failed to set volume type property: Policy doesn't allow
volume_extension:types_extra_specs:create to be performed. (HTTP 403)
Filtering with extra specs
API microversion 3.52 adds support for using extra specs
to filter the list of volume types. Regular users are able to use that
feature to filter for user visible extra specs
. If a
regular user attempts to filter on a non-user visible
extra spec
then an empty list is returned.
# Administrator behavior
[admin@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"multiattach":"<is> True"}
+--------------------------------------+----------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | - | True |
+--------------------------------------+----------+-------------+-----------+
[admin@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"volume_backend_name":"secret"}
+--------------------------------------+----------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | - | True |
+--------------------------------------+----------+-------------+-----------+
# Regular user behavior
[user@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"multiattach":"<is> True"}
+--------------------------------------+----------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | - | True |
+--------------------------------------+----------+-------------+-----------+
[user@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"volume_backend_name":"secret"}
+----+------+-------------+-----------+
| ID | Name | Description | Is_Public |
+----+------+-------------+-----------+
+----+------+-------------+-----------+
Security considerations
Cloud administrators who do not wish to expose any
extra specs
to regular users may restore the previous
behavior by setting the following policies to their pre-Xena default
values.
"volume_extension:access_types_extra_specs": "rule:admin_api"
"volume_extension:types_extra_specs:index": "rule:admin_api"
"volume_extension:types_extra_specs:show": "rule:admin_api"
To restrict regular users from using extra specs
to
filter the list of volume types, modify
/etc/cinder/resource_filters.json to restore the "volume_type"
entry to its pre-Xena default value.
"volume_type": ["is_public"]