Separate update and swap volume policies

This patch changes the volume update policy to be 'rule:system_admin_or_owner' to allow instance owners to update attachment details like delete_on_termination. It creates a new volume swap policy element with the old admin-only behavior, and makes the volume update code check the appropriate policy based on what action is being performed. Co-Authored-By: Dan Smith <dansmith@redhat.com> Partial implement blueprint destroy-instance-with-datavolume Change-Id: I2cbe37b65ceac2efb3b252460dc01d17474e6343
2020-03-04 18:12:27 +08:00 · 2020-03-04 18:12:27 +08:00 · fcf5863662
commit fcf5863662
parent e5cd0fdd87
6 changed files with 93 additions and 12 deletions
--- a/nova/api/openstack/compute/volumes.py
+++ b/nova/api/openstack/compute/volumes.py
@ -465,23 +465,26 @@ class VolumeAttachmentController(wsgi.Controller):
    def update(self, req, server_id, id, body):
        context = req.environ['nova.context']
        instance = common.get_instance(self.compute_api, context, server_id)
        # TODO(danms): For now, use the existing admin-only policy for update.
        # Later, split off the swap_volume permission and check the correct
        # policy based on what is being asked by the client.
        context.can(va_policies.POLICY_ROOT % 'update',
                    target={'project_id': instance.project_id})
        attachment = body['volumeAttachment']
        volume_id = attachment['volumeId']
        only_swap = not api_version_request.is_supported(req, '2.85')
        # NOTE(brinzhang): If the 'volumeId' requested by the user is
        # different from the 'id' in the url path, or only swap is allowed by
        # the microversion, we should check the swap volume policy.
        # otherwise, check the volume update policy.
        if only_swap or id != volume_id:
            context.can(va_policies.POLICY_ROOT % 'swap', target={})
        else:
            context.can(va_policies.POLICY_ROOT % 'update',
                        target={'project_id': instance.project_id})
        if only_swap:
            # NOTE(danms): Original behavior is always call swap on PUT
            # FIXME(danms): Check the swap volume policy here
            self._update_volume_swap(req, instance, id, body)
        else:
            # NOTE(danms): New behavior is update any supported attachment
            # properties first, and then call swap if volumeId differs
            # FIXME(danms): Check the volume attachment update policy here
            self._update_volume_regular(req, instance, id, body)
            if id != volume_id:
                self._update_volume_swap(req, instance, id, body)
--- a/nova/policies/volumes_attachments.py
+++ b/nova/policies/volumes_attachments.py
@ -57,8 +57,24 @@ volumes_attachments_policies = [
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'update',
        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
        description="""Update a volume attachment.
 New 'update' policy about 'swap + update' request (which is possible
 only >2.85) only <swap policy> is checked. We expect <swap policy> to be
 always superset of this policy permission.
 """,
        operations=[
            {
                'method': 'PUT',
                'path':
                 '/servers/{server_id}/os-volume_attachments/{volume_id}'
            }
        ],
        scope_types=['system', 'project']),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'swap',
        check_str=base.SYSTEM_ADMIN,
-        description="Update a volume attachment",
+        description="Update a volume attachment with a different volumeId",
        operations=[
            {
                'method': 'PUT',
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@ -113,6 +113,7 @@ policy_data = """
    "os_compute_api:os-volumes-attachments:show": "",
    "os_compute_api:os-volumes-attachments:create": "",
    "os_compute_api:os-volumes-attachments:update": "",
    "os_compute_api:os-volumes-attachments:swap":"",
    "os_compute_api:os-volumes-attachments:delete": "",
    "os_compute_api:os-availability-zone:list": "",
    "os_compute_api:os-availability-zone:detail": "",
--- a/nova/tests/unit/policies/test_volumes.py
+++ b/nova/tests/unit/policies/test_volumes.py
@ -19,6 +19,7 @@ from nova.api.openstack.compute import volumes as volumes_v21
 from nova.compute import vm_states
 from nova import exception
 from nova import objects
 from nova.objects import block_device as block_device_obj
 from nova.policies import volumes_attachments as va_policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_block_device
@ -160,6 +161,19 @@ class VolumeAttachPolicyTest(base.BasePolicyTest):
                                 rule_name, self.controller.create,
                                 self.req, FAKE_UUID, body=body)
    @mock.patch.object(block_device_obj.BlockDeviceMapping, 'save')
    def test_update_volume_attach_policy(self, mock_bdm_save):
        rule_name = self.policy_root % "update"
        req = fakes.HTTPRequest.blank('', version='2.85')
        body = {'volumeAttachment': {
            'volumeId': FAKE_UUID_A,
            'delete_on_termination': True}}
        self.common_policy_check(self.admin_or_owner_authorized_contexts,
                                 self.admin_or_owner_unauthorized_contexts,
                                 rule_name, self.controller.update,
                                 req, FAKE_UUID,
                                 FAKE_UUID_A, body=body)
    @mock.patch('nova.compute.api.API.detach_volume')
    def test_delete_volume_attach_policy(self, mock_detach_volume):
        rule_name = self.policy_root % "delete"
@ -169,14 +183,52 @@ class VolumeAttachPolicyTest(base.BasePolicyTest):
                                 self.req, FAKE_UUID, FAKE_UUID_A)
    @mock.patch('nova.compute.api.API.swap_volume')
-    def test_update_volume_attach_policy(self, mock_swap_volume):
+    def test_swap_volume_attach_policy(self, mock_swap_volume):
-        rule_name = self.policy_root % "update"
+        rule_name = self.policy_root % "swap"
        body = {'volumeAttachment': {'volumeId': FAKE_UUID_B}}
        self.common_policy_check(self.admin_authorized_contexts,
                                 self.admin_unauthorized_contexts,
                                 rule_name, self.controller.update,
                                 self.req, FAKE_UUID, FAKE_UUID_A, body=body)
    @mock.patch.object(block_device_obj.BlockDeviceMapping, 'save')
    @mock.patch('nova.compute.api.API.swap_volume')
    def test_swap_volume_attach_policy_failed(self,
                                              mock_swap_volume,
                                              mock_bdm_save):
        """Policy check fails for swap + update due to swap policy failure.
        """
        rule_name = self.policy_root % "swap"
        req = fakes.HTTPRequest.blank('', version='2.85')
        req.environ['nova.context'].user_id = 'other-user'
        self.policy.set_rules({rule_name: "user_id:%(user_id)s"})
        body = {'volumeAttachment': {'volumeId': FAKE_UUID_B,
            'delete_on_termination': True}}
        exc = self.assertRaises(
            exception.PolicyNotAuthorized, self.controller.update,
            req, FAKE_UUID, FAKE_UUID_A, body=body)
        self.assertEqual(
            "Policy doesn't allow %s to be performed." % rule_name,
            exc.format_message())
        mock_swap_volume.assert_not_called()
        mock_bdm_save.assert_not_called()
    @mock.patch.object(block_device_obj.BlockDeviceMapping, 'save')
    @mock.patch('nova.compute.api.API.swap_volume')
    def test_pass_swap_and_update_volume_attach_policy(self,
                                                       mock_swap_volume,
                                                       mock_bdm_save):
        rule_name = self.policy_root % "swap"
        req = fakes.HTTPRequest.blank('', version='2.85')
        body = {'volumeAttachment': {'volumeId': FAKE_UUID_B,
            'delete_on_termination': True}}
        self.common_policy_check(self.admin_authorized_contexts,
                                 self.admin_unauthorized_contexts,
                                 rule_name, self.controller.update,
                                 req, FAKE_UUID, FAKE_UUID_A, body=body)
        mock_swap_volume.assert_called()
        mock_bdm_save.assert_called()
 class VolumeAttachScopeTypePolicyTest(VolumeAttachPolicyTest):
    """Test os-volume-attachments APIs policies with system scope enabled.
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@ -360,7 +360,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-console-auth-tokens",
 "os_compute_api:os-quota-class-sets:update",
 "os_compute_api:os-server-external-events:create",
-"os_compute_api:os-volumes-attachments:update",
+"os_compute_api:os-volumes-attachments:swap",
 "os_compute_api:servers:create:zero_disk_flavor",
 "os_compute_api:servers:migrations:index",
 "os_compute_api:servers:migrations:show",
@ -445,6 +445,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-volumes",
 "os_compute_api:os-volumes-attachments:create",
 "os_compute_api:os-volumes-attachments:delete",
 "os_compute_api:os-volumes-attachments:update",
 )
        self.allow_all_rules = (
--- a/releasenotes/notes/separate-update-and-swap-volume-policy-for-attachment-e4c20d4907a52fa7.yaml
+++ b/releasenotes/notes/separate-update-and-swap-volume-policy-for-attachment-e4c20d4907a52fa7.yaml
@ -0,0 +1,8 @@
 ---
 features:
  - |
    With microversion 2.85, existing policy ``os-volumes-attachments:update``
    is used for updating the resources with the change in its default value
    from ``SYSTEM_ADMIN`` to ``PROJECT_MEMBER_OR_SYSTEM_ADMIN``.
    New policy ``os-volumes-attachments:swap`` is introduced for swapping
    the attachment of servers with default to ``SYSTEM_ADMIN``.