f738483e84
Cinder's volume migration API is, by default, an admin-only operation. This includes the migrate_volume_completion API. When Cinder is doing a volume migration, it calls Nova's swap-volume API to detach the old volume that we're migrating from and attach the volume that we're migrating to. Then Nova calls Cinder's migrate_volume_completion API to signal Nova is done and Cinder can finish the volume migration. The problem is that swap-volume is not an admin-only API in Nova per the default policy. So if a non-admin user tries to perform a swap-volume operation, it will fail with a 403 when calling Cinder's migrate_volume_completion API, since that requires an admin user. Also, because of 98739761f17b5e0b32abd8cd262f5beda030f886 we can't simply avoid calling migrate_volume_completion for non-migration cases because that API handles the actual detach/attach for the old and new volumes, swap-volume is broken without calling that. So given swap-volume relies on an admin-only Cinder API, and is called from an admin-only Cinder operation (volume migration), we should just make it default to admin-only also. Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f Closes-Bug: #1522705
9 lines
443 B
YAML
9 lines
443 B
YAML
---
|
|
upgrade:
|
|
- The default policy for updating volume attachments, commonly referred to as
|
|
swap volume, has been changed from ``rule:admin_or_owner`` to
|
|
``rule:admin_api``. This is because it is called from the volume service
|
|
when migrating volumes, which is an admin-only operation by default, and
|
|
requires calling an admin-only API in the volume service upon completion.
|
|
So by default it would not work for non-admins.
|