womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use *_OR_ADMIN policy defaults for server shares

Browse Source 
Update the server shares API policies to use
PROJECT_READER_OR_ADMIN and PROJECT_MEMBER_OR_ADMIN instead of
PROJECT_READER and PROJECT_MEMBER.

This aligns the server shares policies with other compute API
policies and ensures administrators can list, attach, show and
detach shares regardless of project policy overrides.

Signed-off-by: René Ribaud <rene.ribaud@gmail.com>
Change-Id: I2b237d56b08e3080475dc500e204298018af29c7
This commit is contained in:
René Ribaud
2025-11-19 16:03:16 +01:00
parent e2eefc277c
commit f017e23b81
2 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nova/policies/server_shares.py
+4 -4
View File
@@ -21,7 +21,7 @@ POLICY_ROOT = 'os_compute_api:os-server-shares:%s'
server_shares_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="List all shares for given server",
operations=[
{
@@ -32,7 +32,7 @@ server_shares_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Attach a share to the specified server",
operations=[
{
@@ -43,7 +43,7 @@ server_shares_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.PROJECT_READER,
check_str=base.PROJECT_READER_OR_ADMIN,
description="Show a share configured for the specified server",
operations=[
{
@@ -54,7 +54,7 @@ server_shares_policies = [
scope_types=['project']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.PROJECT_MEMBER,
check_str=base.PROJECT_MEMBER_OR_ADMIN,
description="Detach a share to the specified server",
operations=[
{
releasenotes/notes/fix_server_shares_policies-3eb7b22330f886fc.yaml
+13
View File
@@ -0,0 +1,13 @@
---
upgrade:
- |
The server-shares API policies have been updated to allow admin users
(those with the role admin) to access them. There are no changes to the
permissions for project users with the role reader/member. The following
API policies have been updated from PROJECT_READER/PROJECT_MEMBER to
PROJECT_READER_OR_ADMIN/PROJECT_MEMBER_OR_ADMIN to facilitate this change.
* ``os_compute_api:os-server-shares:index`` → ``PROJECT_READER_OR_ADMIN``
* ``os_compute_api:os-server-shares:create`` → ``PROJECT_MEMBER_OR_ADMIN``
* ``os_compute_api:os-server-shares:show`` → ``PROJECT_READER_OR_ADMIN``
* ``os_compute_api:os-server-shares:delete`` → ``PROJECT_MEMBER_OR_ADMIN``