Parameter to set api policy to limit live migration to role
Adds NovaRestrictLiveMigration boolean parmeter to enable an api policy to allow live migration only for a specific role which can be customized using NovaRestrictLiveMigrationRole. This feature is to prevent the default admin role users to be able to use live migration on coincidence. Additional policies specified using NovaApiPolicies get merged with this polic Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/802251 Change-Id: If0b60037f7bb7084d0d5e549670e9d8bf53330a8
This commit is contained in:
parent
0835d2a25c
commit
6db0f74e23
|
@ -236,6 +236,21 @@ parameters:
|
|||
description: |
|
||||
Use the advanced (eventlet safe) memcached client pool.
|
||||
default: true
|
||||
NovaRestrictLiveMigration:
|
||||
type: boolean
|
||||
description: |
|
||||
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
|
||||
api policy to the NovaLiveMigrationRole role. This can be used to
|
||||
disallow the default admin role use live migration.
|
||||
Additional policies specified using NovaApiPolicies get merged with this
|
||||
policy.
|
||||
default: false
|
||||
NovaRestrictLiveMigrationRole:
|
||||
description: |
|
||||
Name of the user role which gets set to limit live migration when
|
||||
NovaRestrictLiveMigration is enabled.
|
||||
default: 'live-migration'
|
||||
type: string
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
|
@ -374,7 +389,20 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
|
||||
nova::policy::policies: {get_param: NovaApiPolicies}
|
||||
nova::policy::purge_config: true
|
||||
nova::policy::policies:
|
||||
map_merge:
|
||||
- {get_param: NovaApiPolicies}
|
||||
- if:
|
||||
- {get_param: NovaRestrictLiveMigration}
|
||||
- limit_live_migration:
|
||||
key: 'os_compute_api:os-migrate-server:migrate_live'
|
||||
value:
|
||||
str_replace:
|
||||
template: 'role:LMROLENAME'
|
||||
params:
|
||||
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
|
||||
- {}
|
||||
nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
|
||||
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
|
||||
nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Adds NovaRestrictLiveMigration boolean parmeter to enable an
|
||||
api policy to allow live migration only for a specific role
|
||||
which can be customized using NovaRestrictLiveMigrationRole.
|
||||
This feature is to prevent the default admin role users to
|
||||
be able to use live migration on coincidence.
|
||||
Additional policies specified using NovaApiPolicies get
|
||||
merged with this policy.
|
Loading…
Reference in New Issue