Merge "Parameter to set api policy to limit live migration to role"

2021-09-02 09:48:56 +00:00 · 2021-09-02 09:48:56 +00:00 · ed7ad7ca68
parent 80b27de41b 6db0f74e23
commit ed7ad7ca68
2 changed files with 39 additions and 1 deletions
--- a/deployment/nova/nova-api-container-puppet.yaml
+++ b/deployment/nova/nova-api-container-puppet.yaml
@ -236,6 +236,21 @@ parameters:
    description: |
      Use the advanced (eventlet safe) memcached client pool.
    default: true
+  NovaRestrictLiveMigration:
+    type: boolean
+    description: |
+      Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
+      api policy to the NovaLiveMigrationRole role. This can be used to
+      disallow the default admin role use live migration.
+      Additional policies specified using NovaApiPolicies get merged with this
+      policy.
+    default: false
+  NovaRestrictLiveMigrationRole:
+    description: |
+      Name of the user role which gets set to limit live migration when
+      NovaRestrictLiveMigration is enabled.
+    default: 'live-migration'
+    type: string

 parameter_groups:
 - label: deprecated
@ -374,7 +389,20 @@ outputs:
                params:
                  $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
            nova::api::instance_name_template: {get_param: InstanceNameTemplate}
-            nova::policy::policies: {get_param: NovaApiPolicies}
+            nova::policy::purge_config: true
+            nova::policy::policies:
+              map_merge:
+              - {get_param: NovaApiPolicies}
+              - if:
+                - {get_param: NovaRestrictLiveMigration}
+                - limit_live_migration:
+                    key: 'os_compute_api:os-migrate-server:migrate_live'
+                    value:
+                      str_replace:
+                        template: 'role:LMROLENAME'
+                        params:
+                           LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
+                - {}
            nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
            nova_enable_db_purge: {get_param: NovaEnableDBPurge}
            nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
--- a/releasenotes/notes/nova_api_live_migration_policy-04fe402b554085b9.yaml
+++ b/releasenotes/notes/nova_api_live_migration_policy-04fe402b554085b9.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds NovaRestrictLiveMigration boolean parmeter to enable an
+    api policy to allow live migration only for a specific role
+    which can be customized using NovaRestrictLiveMigrationRole.
+    This feature is to prevent the default admin role users to
+    be able to use live migration on coincidence.
+    Additional policies specified using NovaApiPolicies get
+    merged with this policy.