2289cdd9e7
Public shares are visible across all keystone
projects and are "accessible" by all projects
within a multi-tenant cloud. More often than not,
only privileged users can create and manage shares
that EVERYONE on the cloud can really mount and use.
Manila deployers want a way to disable
unprivileged users from create public shares. Feedback
from deployers has been that public shares created on one
private tenant network (DHSS=True scenario) cannot
be used within another private tenant network belonging
to a different project. So, if users unintentionally create
public shares, they end up pollute the dashboards of users
in other projects. So, we need to make public share
creation a "privileged" feature. This can be achieved by
introducing a manila API policy that defaults to
only allowing the "admin" role. So, this commit will:
- Introduce two new policies:
- share:create_public_share and
- share:set_public_share
- Set the default check string for these policies
to rule:admin_api. They will accept the default
rule temporarily, and log a deprecation warning
message.
- Remove some redundant policy checks in code
and move the policy check up in the API so we
can fail unauthorized requests faster.
When making an API change that potentially changes
the return code from being "successful" (HTTP 2xx)
to returning failure (in this case: HTTP 403,
NotAuthorized), we typically maintain API backwards
compatibility by failing the requests ONLY with newer
API microversions. Following this pattern for API
policy changes will introduce a security hole, i.e.,
users can always create public shares with previous
versions even when an administrator explicitly
sets up policy to disable the action. This is why
this change will not maintain API backwards
compatibility.
APIImpact
Closes-Bug: #1801763
Change-Id: Ib4fc9a82b6a3e5f8e50f0bc8a89d0445eecab028
22 lines
1.1 KiB
YAML
22 lines
1.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
New API policies (share:create_public_share and share:set_public_share)
|
|
have been introduced for the "create" (POST /shares) and "update"
|
|
(PUT /shares) APIs to validate requests to create publicly visible
|
|
shares.
|
|
deprecations:
|
|
- |
|
|
The API policies to create publicly visible shares
|
|
(share:create_public_share) or modify existing shares to become publicly
|
|
visible (share:set_public_share) have their default value changed to
|
|
rule:admin_api. This means that these APIs (POST /shares and PUT
|
|
/shares) will allow the 'is_public' parameter to be set to True in the
|
|
request body if the requester's role is set to an Administrator role.
|
|
These policies will allow their previous default behavior in the Stein
|
|
release (8.0.0) (i.e., any user can create publicly visible shares and
|
|
even non-privileged users within a project can update their shares to
|
|
become publicly visible). If the previous default behavior is always
|
|
desired, deployers *must* explicitly set "share:create_public_share"
|
|
and "share:set_public_share" to "rule:default" in their policy.json
|
|
file. |