From 6db0f74e23db06ab391c4dc02da45083c1907992 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 21 Jul 2021 16:05:20 +0200 Subject: [PATCH] Parameter to set api policy to limit live migration to role Adds NovaRestrictLiveMigration boolean parmeter to enable an api policy to allow live migration only for a specific role which can be customized using NovaRestrictLiveMigrationRole. This feature is to prevent the default admin role users to be able to use live migration on coincidence. Additional policies specified using NovaApiPolicies get merged with this polic Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/802251 Change-Id: If0b60037f7bb7084d0d5e549670e9d8bf53330a8 --- .../nova/nova-api-container-puppet.yaml | 30 ++++++++++++++++++- ...ive_migration_policy-04fe402b554085b9.yaml | 10 +++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/nova_api_live_migration_policy-04fe402b554085b9.yaml diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 7093080bef..c640bc6b78 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -236,6 +236,21 @@ parameters: description: | Use the advanced (eventlet safe) memcached client pool. default: true + NovaRestrictLiveMigration: + type: boolean + description: | + Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live' + api policy to the NovaLiveMigrationRole role. This can be used to + disallow the default admin role use live migration. + Additional policies specified using NovaApiPolicies get merged with this + policy. + default: false + NovaRestrictLiveMigrationRole: + description: | + Name of the user role which gets set to limit live migration when + NovaRestrictLiveMigration is enabled. + default: 'live-migration' + type: string parameter_groups: - label: deprecated @@ -374,7 +389,20 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} nova::api::instance_name_template: {get_param: InstanceNameTemplate} - nova::policy::policies: {get_param: NovaApiPolicies} + nova::policy::purge_config: true + nova::policy::policies: + map_merge: + - {get_param: NovaApiPolicies} + - if: + - {get_param: NovaRestrictLiveMigration} + - limit_live_migration: + key: 'os_compute_api:os-migrate-server:migrate_live' + value: + str_replace: + template: 'role:LMROLENAME' + params: + LMROLENAME: {get_param: NovaRestrictLiveMigrationRole} + - {} nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost} nova_enable_db_purge: {get_param: NovaEnableDBPurge} nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute} diff --git a/releasenotes/notes/nova_api_live_migration_policy-04fe402b554085b9.yaml b/releasenotes/notes/nova_api_live_migration_policy-04fe402b554085b9.yaml new file mode 100644 index 0000000000..7507af6b5a --- /dev/null +++ b/releasenotes/notes/nova_api_live_migration_policy-04fe402b554085b9.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adds NovaRestrictLiveMigration boolean parmeter to enable an + api policy to allow live migration only for a specific role + which can be customized using NovaRestrictLiveMigrationRole. + This feature is to prevent the default admin role users to + be able to use live migration on coincidence. + Additional policies specified using NovaApiPolicies get + merged with this policy.