98af869942
Add NovaShowHostStatus parameter to allow custom policies for accessing the full/limited compute host statuses in the requested Nova server details. If enabled without further policy customization, it grants access to that information via the System/Project read only APIs. That shows the requested full or limited host status among the other Nova server details available for non-admins. Additional policies specified using NovaApiPolicies get merged with this customizable NovaApiHostStatusPolicy. The compute microversion of at lest 2.16 is required for that. It uses role:reader since Tripleo deployments won't be enforcing scope yet. Once it will be, we should use rule:system_or_project_reader. Change-Id: Ib70a0f0bfdf47eceeecf5e1336670e8575f46e36 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
20 lines
1.1 KiB
YAML
20 lines
1.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Add `NovaShowHostStatus` to allow overriding API policies to access the compute
|
|
host status in the requested Nova server details. The default value 'hidden'
|
|
allows only admins to access it. Setting it to 'all' ('unknown-only') without
|
|
additional fine-grained tuning of `NovaApiHostStatusPolicy` shows the full
|
|
(limited) `host_status` to the system/project readers.
|
|
|
|
Add `NovaApiHostStatusPolicy` that defines a custom API policy for
|
|
`os_compute_api:servers:show:host_status and
|
|
`os_compute_api:servers:show:host_status:unknown-only`.
|
|
These rules, or roles, replace the admins-only policies based on the given
|
|
`NovaShowHostStatus`: 'unknown-only' shows the limited host status UNKNOWN
|
|
whenever a heartbeat was not received within the configured threshold, and
|
|
'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
|
|
details. Finally, `NovaShowHostStatus`: 'hidden' puts it back being visible
|
|
only for admins. Additional policies specified using `NovaApiPolicies` get
|
|
merged with this policy.
|