Public shares are visible across all keystone
projects and are "accessible" by all projects
within a multi-tenant cloud. More often than not,
only privileged users can create and manage shares
that EVERYONE on the cloud can really mount and use.
Manila deployers want a way to disable
unprivileged users from create public shares. Feedback
from deployers has been that public shares created on one
private tenant network (DHSS=True scenario) cannot
be used within another private tenant network belonging
to a different project. So, if users unintentionally create
public shares, they end up pollute the dashboards of users
in other projects. So, we need to make public share
creation a "privileged" feature. This can be achieved by
introducing a manila API policy that defaults to
only allowing the "admin" role. So, this commit will:
- Introduce two new policies:
- share:create_public_share and
- share:set_public_share
- Set the default check string for these policies
to rule:admin_api. They will accept the default
rule temporarily, and log a deprecation warning
message.
- Remove some redundant policy checks in code
and move the policy check up in the API so we
can fail unauthorized requests faster.
When making an API change that potentially changes
the return code from being "successful" (HTTP 2xx)
to returning failure (in this case: HTTP 403,
NotAuthorized), we typically maintain API backwards
compatibility by failing the requests ONLY with newer
API microversions. Following this pattern for API
policy changes will introduce a security hole, i.e.,
users can always create public shares with previous
versions even when an administrator explicitly
sets up policy to disable the action. This is why
this change will not maintain API backwards
compatibility.
APIImpact
Closes-Bug: #1801763
Change-Id: Ib4fc9a82b6a3e5f8e50f0bc8a89d0445eecab028
2289cdd9e7