From 8251b84819a59e8eac3115f53c8a9effe0f7ba5e Mon Sep 17 00:00:00 2001 From: adeheldb Date: Tue, 10 Feb 2026 20:53:15 -0300 Subject: [PATCH] New Cinder RBAC policies for Epoxy release The change adds policies that allow the execution of some new Cinder features. Please, also note that was necessary to add a new policy for Nova during the test plan execution. Policies: Cinder - volume_extension:type_get_all Nova - os_compute_api:servers:create:attach_volume Rules for policies: Cinder - admin_or_owner Nova - admin_or_projectmember_owner Story: 2011516 Task: 53808 TEST PLAN PASS - Apply new enhanced RBAC policies YAML files * system helm-override-update PASS - Ensure polices are working as expected (147 automated TC) Change-Id: If49f0061d2769546f156f0f0af70a585016e0218 Signed-off-by: adeheldb --- enhanced-policies/cinder-policy-overrides.yml | 1 + enhanced-policies/nova-policy-overrides.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/enhanced-policies/cinder-policy-overrides.yml b/enhanced-policies/cinder-policy-overrides.yml index 9353a08a..5fd50999 100644 --- a/enhanced-policies/cinder-policy-overrides.yml +++ b/enhanced-policies/cinder-policy-overrides.yml @@ -122,6 +122,7 @@ conf: volume_extension:snapshot_admin_actions:reset_status: rule:admin_api volume_extension:snapshot_backup_status_attribute: rule:admin_or_projectadmin_owner volume_extension:snapshot_export_attributes: rule:admin_or_projectadmin_owner + volume_extension:type_get_all: rule:admin_or_owner volume_extension:types_extra_specs:create: rule:admin_api volume_extension:types_extra_specs:delete: rule:admin_api volume_extension:types_extra_specs:index: rule:admin_api diff --git a/enhanced-policies/nova-policy-overrides.yml b/enhanced-policies/nova-policy-overrides.yml index 88504cd6..1bf1dec2 100644 --- a/enhanced-policies/nova-policy-overrides.yml +++ b/enhanced-policies/nova-policy-overrides.yml @@ -50,6 +50,7 @@ conf: os_compute_api:server-metadata:update_all: rule:admin_or_projectadmin_owner os_compute_api:servers:confirm_resize: rule:admin_or_projectadmin_owner os_compute_api:servers:create: rule:admin_or_projectmember_owner + os_compute_api:servers:create:attach_volume: rule:admin_or_projectmember_owner os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner os_compute_api:servers:delete: rule:admin_or_projectadmin_owner os_compute_api:servers:detail: rule:admin_or_projectreadonly_required