We were missing a join on the share network
subnets table to be able to affect a lookup
by share network ID.
Change-Id: Id121ba942c7840a7cd7574f08a524fd4dbe06f64
This patch implements support for security service updates
for in use share networks. It works with all three security
service types. For 'active_directory' and 'kerberos', the 'domain'
attribute update isn't supported, since it can might affect
user's access to all related shares.
Change-Id: I8556e4e2e05deb9b116eacbd5afe2f7c5d77b44b
Depends-On: I129a794dfd2d179fa2b9a2fed050459d6f00b0de
Depends-On: I5fef50a17bc72ba66a3a9d6f786742bcb5745d7b
Implements: bp netapp-security-service-update
Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Signed-off-by: Douglas Viroel <viroel@gmail.com>
This implementation adds the functionality to add/update security services
to in use share networks using the container driver. The container driver will
also try to setup security services while creating share servers. Currently, the
only supported security service type is LDAP.
Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Partially Implements: bp add-security-service-in-use-share-networks
Depends-On: I129a794dfd2d179fa2b9a2fed050459d6f00b0de
Change-Id: Ifb8b9ebe6eb0661844c794ca1a32e35105652f72
This patch implements the update of security service's association
with in-use share networks. The following changes were added:
- New share network APIs: `share_network_security_service_update`
and `share_network_reset_state`.
- A new `status` attribute was added to share network model to
identify when it's in a modification state, called 'network_change'.
Other supported status that were added: 'active' and 'error'.
- New 'security_service_update_support' property was added to both
share server and share network models, to identify when this resources
are able to process security service update for in-use share networks.
- New driver interface was added to support update of security service's
configuration of a given share server.
DocImpact
APIImpact
Partially Implements: bp add-security-service-in-use-share-networks
Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Co-Authored-By: Douglas Viroel <viroel@gmail.com>
Co-Authored-By: Andre Beltrami <debeltrami@gmail.com>
Change-Id: I129a794dfd2d179fa2b9a2fed050459d6f00b0de
We set the check job to non-voting, but the
sporadic failures are occurring in the gate
queue as well. Unfortunate as it is, we're
still unable to fix the root cause.
Change-Id: I5a70441ee493ef6f5a5db1957000ee1134e3e5df
Partial-Bug: #1918707
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
We're seeing sporadic failures of this job and
the rate of failures is increasing in the past
couple of days. Since we're at feature freeze and
the doc is being built fine, we decided to set
this job to non-voting and investigate the failure
while allowing feature patches to merge.
Partial-Bug: #1918707
Change-Id: I2233f951f87e38d82d7963a57695e9cf84cbf558
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This patch adds support for automated creation of FPolicy policies
and association to a share. The FPolicy configuration can be added using
the extra-specs 'netapp:fpolicy_extensions_to_include',
'netapp:fpolicy_extensions_to_exclude' and 'netapp:fpolicy_file_operations'.
Change-Id: I661de95bfb6f8e68b3a8c58663bb6055e9b809f6
Implements: bp netapp-fpolicy-support
Signed-off-by: Douglas Viroel <viroel@gmail.com>
This commit updates the policies for
shares to understand scope checking and
account for a read-only role. This is
part of a broader series of changes
across OpenStack to provide a consistent
RBAC experience and improve security.
Change-Id: I6d947fa5f51f6a462f0ce5b1f4b3c00d3a10b024
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This commit updates the policies for share
replicas to understand scope checking and
account for a read-only role. This is part
of a broader series of changes across
OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I1656585bf66ad17468e5d2cfef039fc90b6dec50
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
Allow project administrators to force
delete and reset status on share group
snapshots by default since that delegation
may be desirable in the cloud and it
does not violate tenancy.
Change-Id: Ib9b9b306be9073c4cea9b2d190d3325f29c7bd3f
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This commit updates the policies for share
snapshots to understand scope checking and
account for a read-only role. This is part
of a broader series of changes across
OpenStack to provide a consistent RBAC experience
and improve security.
Change-Id: I8d9702c587aa6716310be2ff7f11e370616e2d3b
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This patch fixes some issues with LDAP client configuration on
ONTAP SVMs. With ldap security service, users should be able to
configure a LDAP client that can be used for authentication and
name mapping. The name service switch order remains: ldap,files.
Issues fixed:
- The driver now identifies when user provide a Active Directory
domain or a Linux/Unix LDAP server IP and sets the correct schema.
- LDAP configuration parameter `servers` was replaced by `ldap-servers`
in ONTAP 9.2, and now accepts host names too.
- Fix DNS configuration for LDAP security service
- User can now specify base search DN for LDAP queries, which can be
mandatory for Unix/Linux servers, using the security service `ou`
parameter.
Closes-Bug: #1916534
Change-Id: Ieaa53abbe50e7b708e508c132dfc4bb36b71a4f5
Signed-off-by: Douglas Viroel <viroel@gmail.com>
This commit updates the policies for share type extra spec to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: Ib2f71bdbe22f092016df25a7118abf3337f8cb8d
This commit updates the policies for share snapshot instances to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.
Change-Id: I6ec289e82d8f37ea7e832476345a3cac42662280
This feature allows admin to set share size limit for a project.
The defaults will either come from the default values
set in the quota configuration option or via manila.conf
if the user has configured default values for quotas there.
The quota_per_share_gigabytes defaults to -1["No Limit"] always
unless changed in manila.conf by admin.
Closes-Bug: #1811943
Change-Id: Ida126c8c419b8bf4d2a194f061a0809d52b47ab8
This commit updates the policies for share group type specs to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: Ie1b72459ae060693badb6fe864454836a4ff1300
This commit updates the policies for share network subnets to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: I2c90a40a7950be0463c3bc1bcf0b2d41cb6aeaa7
This commit updates the policies for share networks to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.
Change-Id: Ie5e87c73e97d4a464ec91db8fba1c5d3e9abfff5
Add two new capabilities to manila. It is possible to set limits
to share server size and share instances in a share server by
setting `max_share_server_size` and `max_shares_per_share_server`
in a backend stanza.
Change-Id: I3170478d3aa2d09cb2adc32233dc57bc59029a56
Partially-Implements: bp new-share-server-limits
DocImpact
This commit updates the policies for
share group types to understand scope
checking and account for a read-only role.
This is part of a broader series of
changes across OpenStack to provide a
consistent RBAC experience and improve
security.
Also fix the HTTP method in the policy
doc for this API.
Change-Id: I8b95e1e70f74052e5bd4af1ba29842420bafd0b2
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This commit updates the policies for share groups
to understand scope checking and account for a
read-only role. This is part of a broader series
of changes across OpenStack to provide a
consistent RBAC experience and improve security.
Change-Id: I71d63179131c5dbe75a2de7339fa4df70243e83f
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
