Parameter to set api policy to limit live migration to role

Adds NovaRestrictLiveMigration boolean parmeter to enable an
api policy to allow live migration only for a specific role
which can be customized using NovaRestrictLiveMigrationRole.
This feature is to prevent the default admin role users to
be able to use live migration on coincidence.
Additional policies specified using NovaApiPolicies get
merged with this polic

Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/802251
Change-Id: If0b60037f7bb7084d0d5e549670e9d8bf53330a8
This commit is contained in:
Martin Schuppert 2021-07-21 16:05:20 +02:00
parent 0835d2a25c
commit 6db0f74e23
2 changed files with 39 additions and 1 deletions

View File

@ -236,6 +236,21 @@ parameters:
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
NovaRestrictLiveMigration:
type: boolean
description: |
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
api policy to the NovaLiveMigrationRole role. This can be used to
disallow the default admin role use live migration.
Additional policies specified using NovaApiPolicies get merged with this
policy.
default: false
NovaRestrictLiveMigrationRole:
description: |
Name of the user role which gets set to limit live migration when
NovaRestrictLiveMigration is enabled.
default: 'live-migration'
type: string
parameter_groups:
- label: deprecated
@ -374,7 +389,20 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova::policy::policies: {get_param: NovaApiPolicies}
nova::policy::purge_config: true
nova::policy::policies:
map_merge:
- {get_param: NovaApiPolicies}
- if:
- {get_param: NovaRestrictLiveMigration}
- limit_live_migration:
key: 'os_compute_api:os-migrate-server:migrate_live'
value:
str_replace:
template: 'role:LMROLENAME'
params:
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
- {}
nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}

View File

@ -0,0 +1,10 @@
---
features:
- |
Adds NovaRestrictLiveMigration boolean parmeter to enable an
api policy to allow live migration only for a specific role
which can be customized using NovaRestrictLiveMigrationRole.
This feature is to prevent the default admin role users to
be able to use live migration on coincidence.
Additional policies specified using NovaApiPolicies get
merged with this policy.