From 5b33db1020010673cebd5912511610a0971bb436 Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Thu, 24 Sep 2015 11:11:22 +0100
Subject: [PATCH] Update Cinder Configuration for Liberty

This patch includes the following updates based on the updated source in
Cinder's Liberty release:
 - api-paste.ini (no changes)
 - policy.json
 - rootwrap.d/volume.filters

DocImpact
UpgradeImpact
Implements: blueprint liberty-release
Change-Id: I7f03f3c4c2223d445bb2157dd09ae37ebc961121
---
 .../roles/os_cinder/files/volume.filters      | 22 ++++++-
 .../os_cinder/tasks/cinder_post_install.yml   |  2 +-
 .../templates/{policy.json => policy.json.j2} | 59 +++++++++++--------
 3 files changed, 58 insertions(+), 25 deletions(-)
 rename playbooks/roles/os_cinder/templates/{policy.json => policy.json.j2} (59%)

diff --git a/playbooks/roles/os_cinder/files/volume.filters b/playbooks/roles/os_cinder/files/volume.filters
index 36a037bb97..9e7ab384c4 100644
--- a/playbooks/roles/os_cinder/files/volume.filters
+++ b/playbooks/roles/os_cinder/files/volume.filters
@@ -22,6 +22,12 @@ vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
 lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
 lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
 
+# os-brick library commands
+# TODO(smcginnis) This is a temporary fix. Need to pull in os-brick
+# os-brick.filters file instead and clean out stale brick values from
+# this file.
+scsi_id: CommandFilter, /lib/udev/scsi_id, root
+
 # cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname
 pvresize: CommandFilter, pvresize, root
 
@@ -103,6 +109,7 @@ netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdept
 # cinder/volume/drivers/glusterfs.py
 chgrp: CommandFilter, chgrp, root
 umount: CommandFilter, umount, root
+fallocate: CommandFilter, fallocate, root
 
 # cinder/volumes/drivers/hds/hds.py:
 hus-cmd: CommandFilter, hus-cmd, root
@@ -122,8 +129,11 @@ systool: CommandFilter, systool, root
 blockdev: CommandFilter, blockdev, root
 
 # cinder/volume/drivers/ibm/gpfs.py
-cp: CommandFilter, cp, root
+# cinder/volume/drivers/tintri.py
 mv: CommandFilter, mv, root
+
+# cinder/volume/drivers/ibm/gpfs.py
+cp: CommandFilter, cp, root
 mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
 mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
 mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
@@ -185,3 +195,13 @@ auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_R
 audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool
 aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal
 aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon
+
+# cinder/volume/drivers/hgst.py
+vgc-cluster: CommandFilter, vgc-cluster, root
+
+# cinder/volume/drivers/vzstorage.py
+pstorage-mount: CommandFilter, pstorage-mount, root
+pstorage: CommandFilter, pstorage, root
+
+# initiator/connector.py:
+drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
diff --git a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml
index 263fd99be0..abb2b2149d 100644
--- a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml
+++ b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml
@@ -35,7 +35,7 @@
       dest: "/etc/cinder/rootwrap.conf"
       config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
       config_type: "ini"
-    - src: "policy.json"
+    - src: "policy.json.j2"
       dest: "/etc/cinder/policy.json"
       config_overrides: "{{ cinder_policy_overrides }}"
       config_type: "json"
diff --git a/playbooks/roles/os_cinder/templates/policy.json b/playbooks/roles/os_cinder/templates/policy.json.j2
similarity index 59%
rename from playbooks/roles/os_cinder/templates/policy.json
rename to playbooks/roles/os_cinder/templates/policy.json.j2
index a552c01221..4c8a8aa507 100644
--- a/playbooks/roles/os_cinder/templates/policy.json
+++ b/playbooks/roles/os_cinder/templates/policy.json.j2
@@ -6,32 +6,36 @@
     "admin_api": "is_admin:True",
 
     "volume:create": "",
-    "volume:delete": "",
-    "volume:get": "",
-    "volume:get_all": "",
-    "volume:get_volume_metadata": "",
+    "volume:delete": "rule:admin_or_owner",
+    "volume:get": "rule:admin_or_owner",
+    "volume:get_all": "rule:admin_or_owner",
+    "volume:get_volume_metadata": "rule:admin_or_owner",
+    "volume:delete_volume_metadata": "rule:admin_or_owner",
+    "volume:update_volume_metadata": "rule:admin_or_owner",
     "volume:get_volume_admin_metadata": "rule:admin_api",
-    "volume:delete_volume_admin_metadata": "rule:admin_api",
     "volume:update_volume_admin_metadata": "rule:admin_api",
-    "volume:get_snapshot": "",
-    "volume:get_all_snapshots": "",
-    "volume:extend": "",
-    "volume:update_readonly_flag": "",
-    "volume:retype": "",
+    "volume:get_snapshot": "rule:admin_or_owner",
+    "volume:get_all_snapshots": "rule:admin_or_owner",
+    "volume:delete_snapshot": "rule:admin_or_owner",
+    "volume:update_snapshot": "rule:admin_or_owner",
+    "volume:extend": "rule:admin_or_owner",
+    "volume:update_readonly_flag": "rule:admin_or_owner",
+    "volume:retype": "rule:admin_or_owner",
+    "volume:update": "rule:admin_or_owner",
 
     "volume_extension:types_manage": "rule:admin_api",
     "volume_extension:types_extra_specs": "rule:admin_api",
-    "volume_extension:volume_type_access": "",
+    "volume_extension:volume_type_access": "rule:admin_or_owner",
     "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
     "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
     "volume_extension:volume_type_encryption": "rule:admin_api",
     "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
-    "volume_extension:extended_snapshot_attributes": "",
-    "volume_extension:volume_image_metadata": "",
+    "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
+    "volume_extension:volume_image_metadata": "rule:admin_or_owner",
 
     "volume_extension:quotas:show": "",
     "volume_extension:quotas:update": "rule:admin_api",
-    "volume_extension:quota_classes": "",
+    "volume_extension:quota_classes": "rule:admin_api",
 
     "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
     "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
@@ -39,6 +43,7 @@
     "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
     "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
     "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
     "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
     "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
 
@@ -46,30 +51,38 @@
     "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
     "volume_extension:volume_mig_status_attribute": "rule:admin_api",
     "volume_extension:hosts": "rule:admin_api",
-    "volume_extension:services": "rule:admin_api",
+    "volume_extension:services:index": "rule:admin_api",
+    "volume_extension:services:update" : "rule:admin_api",
 
     "volume_extension:volume_manage": "rule:admin_api",
     "volume_extension:volume_unmanage": "rule:admin_api",
 
-    "volume:services": "rule:admin_api",
+    "volume_extension:capabilities": "rule:admin_api",
 
-    "volume:create_transfer": "",
+    "volume:create_transfer": "rule:admin_or_owner",
     "volume:accept_transfer": "",
-    "volume:delete_transfer": "",
-    "volume:get_all_transfers": "",
+    "volume:delete_transfer": "rule:admin_or_owner",
+    "volume:get_all_transfers": "rule:admin_or_owner",
 
     "volume_extension:replication:promote": "rule:admin_api",
     "volume_extension:replication:reenable": "rule:admin_api",
 
+    "volume:enable_replication": "rule:admin_api",
+    "volume:disable_replication": "rule:admin_api",
+    "volume:failover_replication": "rule:admin_api",
+    "volume:list_replication_targets": "rule:admin_api",
+
     "backup:create" : "",
-    "backup:delete": "",
-    "backup:get": "",
-    "backup:get_all": "",
-    "backup:restore": "",
+    "backup:delete": "rule:admin_or_owner",
+    "backup:get": "rule:admin_or_owner",
+    "backup:get_all": "rule:admin_or_owner",
+    "backup:restore": "rule:admin_or_owner",
     "backup:backup-import": "rule:admin_api",
     "backup:backup-export": "rule:admin_api",
 
     "snapshot_extension:snapshot_actions:update_snapshot_status": "",
+    "snapshot_extension:snapshot_manage": "rule:admin_api",
+    "snapshot_extension:snapshot_unmanage": "rule:admin_api",
 
     "consistencygroup:create" : "group:nobody",
     "consistencygroup:delete": "group:nobody",