Remove deprecated public share policies

These policies were deprecated in Stein and flagged
for removal in Train. Now that we're in the Wallaby
development cycle let's remove them.

Depends-On: I2a647fd5871ef6bb7d1ab45db893a44a560bed72
Change-Id: I6e7608be57de8987117f3f4ace018a7eb91c8bd2
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This commit is contained in:
Lance Bragstad 2020-11-19 20:44:13 +00:00 committed by Goutham Pacha Ravi
parent d487c2db72
commit e3e0486de9
2 changed files with 13 additions and 30 deletions

View File

@ -17,17 +17,6 @@ from manila.policies import base
BASE_POLICY_NAME = 'share:%s' BASE_POLICY_NAME = 'share:%s'
# These deprecated rules can be removed in the 'Train' release.
deprecated_create_public_share_rule = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create_public_share',
check_str=base.RULE_DEFAULT,
)
deprecated_set_public_share_rule = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'set_public_share',
check_str=base.RULE_DEFAULT,
)
shares_policies = [ shares_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
@ -43,16 +32,7 @@ shares_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create_public_share', name=BASE_POLICY_NAME % 'create_public_share',
check_str=base.RULE_ADMIN_API, check_str=base.RULE_ADMIN_API,
description="Create shares visible across all projects in the cloud. " description="Create shares visible across all projects in the cloud.",
"This option will default to rule:admin_api in the "
"9.0.0 (Train) release of the OpenStack Shared File "
"Systems (manila) service.",
deprecated_rule=deprecated_create_public_share_rule,
deprecated_reason="Public shares must be accessible across the "
"cloud, irrespective of project namespaces. To "
"avoid unintended consequences, rule:admin_api "
"serves as a better default for this policy.",
deprecated_since='S',
operations=[ operations=[
{ {
'method': 'POST', 'method': 'POST',
@ -97,15 +77,7 @@ shares_policies = [
name=BASE_POLICY_NAME % 'set_public_share', name=BASE_POLICY_NAME % 'set_public_share',
check_str=base.RULE_ADMIN_API, check_str=base.RULE_ADMIN_API,
description="Update shares to be visible across all projects in the " description="Update shares to be visible across all projects in the "
"cloud. This option will default to rule:admin_api in the " "cloud.",
"9.0.0 (Train) release of the OpenStack Shared File "
"Systems (manila) service.",
deprecated_rule=deprecated_set_public_share_rule,
deprecated_reason="Public shares must be accessible across the "
"cloud, irrespective of project namespaces. To "
"avoid unintended consequences, rule:admin_api "
"serves as a better default for this policy.",
deprecated_since='S',
operations=[ operations=[
{ {
'method': 'PUT', 'method': 'PUT',

View File

@ -0,0 +1,11 @@
---
upgrade:
- |
The ability to create a public share (RBAC: "share:create_public_share")
and to update a share to become publicly visible
(RBAC: "share:set_public_share") are now restricted to administator
users operating at system scope. Adjust your policy file overrides if
you would like to retain the older behavior of allowing all users to
create public shares or to update private ones to public. If you do
that, be sure that your users are aware of the security implications of
publicly accessible shares.