cinder/releasenotes/notes/type-extra-spec-policies-b7742b0ac2732864.yaml
Gerald McBrearty 7bd2950ad5 Make VolumeTypeExtraSpecsController policy more granular
Change VolumeTypeExtraSpecsController to pass the action
on authorize for create, delete, index, show, update.
Change the policy files to include rules for
types_extra_specs create, delete, index, show, update.

This review adds a release note for the code change that
merged with https://review.openstack.org/#/c/483037/

Closes-Bug: #1703933

Change-Id: I84983d9967579d4556b81ba705b5437ffdb53407
2017-08-02 11:51:13 -05:00

17 lines
955 B
YAML

---
upgrade:
- |
When managing volume types an OpenStack provider is now given more control to grant
access to for different storage type operations. The provider can now customize access
to type create, delete, update, list, and show using new entries in the cinder policy file.
As an example one provider may have roles called viewer, admin, type_viewer, and say
type_admin. Admin and type_admin can create, delete, update types. Everyone can list
the storage types. Admin, type_viewer, and type_admin can view the extra_specs.
"volume_extension:types_extra_specs:create": "rule:admin or rule:type_admin",
"volume_extension:types_extra_specs:delete": "rule:admin or rule:type_admin",
"volume_extension:types_extra_specs:index": "",
"volume_extension:types_extra_specs:show": "rule:admin or rule:type_admin or rule:type_viewer",
"volume_extension:types_extra_specs:update": "rule:admin or rule:type_admin"