womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Use *_OR_ADMIN policy defaults for server shares"

Browse Source
This commit is contained in:
Zuul
2026-01-23 05:00:53 +00:00
committed by Gerrit Code Review
parent 8fe5d3ce75 f017e23b81
commit 7579dbdf0e
2 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nova/policies/server_shares.py
+4 -4
View File
@@ -21,7 +21,7 @@ POLICY_ROOT = 'os_compute_api:os-server-shares:%s'
server_shares_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all shares for given server",
operations=[
{
@@ -32,7 +32,7 @@ server_shares_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Attach a share to the specified server",
operations=[
{
@@ -43,7 +43,7 @@ server_shares_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show a share configured for the specified server",
operations=[
{
@@ -54,7 +54,7 @@ server_shares_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Detach a share to the specified server",
operations=[
{
releasenotes/notes/fix_server_shares_policies-3eb7b22330f886fc.yaml
+13
View File
@@ -0,0 +1,13 @@
---
upgrade:
- |
The server-shares API policies have been updated to allow admin users
(those with the role admin) to access them. There are no changes to the
permissions for project users with the role reader/member. The following
API policies have been updated from PROJECT_READER/PROJECT_MEMBER to
PROJECT_READER_OR_ADMIN/PROJECT_MEMBER_OR_ADMIN to facilitate this change.
* ``os_compute_api:os-server-shares:index`` → ``PROJECT_READER_OR_ADMIN``
* ``os_compute_api:os-server-shares:create`` → ``PROJECT_MEMBER_OR_ADMIN``
* ``os_compute_api:os-server-shares:show`` → ``PROJECT_READER_OR_ADMIN``
* ``os_compute_api:os-server-shares:delete`` → ``PROJECT_MEMBER_OR_ADMIN``