From f017e23b81a8a3c02473148bff3e91898249953d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Ribaud?= Date: Wed, 19 Nov 2025 16:03:16 +0100 Subject: [PATCH] Use *_OR_ADMIN policy defaults for server shares MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the server shares API policies to use PROJECT_READER_OR_ADMIN and PROJECT_MEMBER_OR_ADMIN instead of PROJECT_READER and PROJECT_MEMBER. This aligns the server shares policies with other compute API policies and ensures administrators can list, attach, show and detach shares regardless of project policy overrides. Signed-off-by: René Ribaud Change-Id: I2b237d56b08e3080475dc500e204298018af29c7 --- nova/policies/server_shares.py | 8 ++++---- ...fix_server_shares_policies-3eb7b22330f886fc.yaml | 13 +++++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/fix_server_shares_policies-3eb7b22330f886fc.yaml diff --git a/nova/policies/server_shares.py b/nova/policies/server_shares.py index 0b6249ee84..e711926661 100644 --- a/nova/policies/server_shares.py +++ b/nova/policies/server_shares.py @@ -21,7 +21,7 @@ POLICY_ROOT = 'os_compute_api:os-server-shares:%s' server_shares_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="List all shares for given server", operations=[ { @@ -32,7 +32,7 @@ server_shares_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Attach a share to the specified server", operations=[ { @@ -43,7 +43,7 @@ server_shares_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER, + check_str=base.PROJECT_READER_OR_ADMIN, description="Show a share configured for the specified server", operations=[ { @@ -54,7 +54,7 @@ server_shares_policies = [ scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER, + check_str=base.PROJECT_MEMBER_OR_ADMIN, description="Detach a share to the specified server", operations=[ { diff --git a/releasenotes/notes/fix_server_shares_policies-3eb7b22330f886fc.yaml b/releasenotes/notes/fix_server_shares_policies-3eb7b22330f886fc.yaml new file mode 100644 index 0000000000..53bee415fa --- /dev/null +++ b/releasenotes/notes/fix_server_shares_policies-3eb7b22330f886fc.yaml @@ -0,0 +1,13 @@ +--- +upgrade: + - | + The server-shares API policies have been updated to allow admin users + (those with the role admin) to access them. There are no changes to the + permissions for project users with the role reader/member. The following + API policies have been updated from PROJECT_READER/PROJECT_MEMBER to + PROJECT_READER_OR_ADMIN/PROJECT_MEMBER_OR_ADMIN to facilitate this change. + + * ``os_compute_api:os-server-shares:index`` → ``PROJECT_READER_OR_ADMIN`` + * ``os_compute_api:os-server-shares:create`` → ``PROJECT_MEMBER_OR_ADMIN`` + * ``os_compute_api:os-server-shares:show`` → ``PROJECT_READER_OR_ADMIN`` + * ``os_compute_api:os-server-shares:delete`` → ``PROJECT_MEMBER_OR_ADMIN``