diff options
author | Brian Rosmaita <rosmaita.fossdev@gmail.com> | 2020-12-15 17:20:22 -0500 |
---|---|---|
committer | Brian Rosmaita <rosmaita.fossdev@gmail.com> | 2021-03-05 19:09:35 +0000 |
commit | f6d256cf1fdc6d4d98b33cf511efa8cf2e71f2f4 (patch) | |
tree | 6ea68d91744dce478de99b5c9391707b9fe6de73 | |
parent | ecd2916042d009a93bc7b4b7f1d66548aa89b121 (diff) | |
download | cinder-f6d256cf1fdc6d4d98b33cf511efa8cf2e71f2f4.tar.gz |
Correct group:reset_group_snapshot_status policy
The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the
policy-in-code initiative in Queens [1]. Consensus at the Wallaby
R-18 mid-cycle was that this change was a mistake that should be
corrected [2].
[0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status
[1] https://review.opendev.org/c/openstack/cinder/+/507812
[2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies
Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39
Closes-bug: #1908315
(cherry picked from commit 1631742f43a2d1f60cf5ccee26dced1d542f2bf6)
(cherry picked from commit 1941ecc6d4013ecfdf7e2d37fd87ffaa04d8a38d)
(cherry picked from commit 6c399a8b0d8e945911cf4408b0d6cb2d3d15bd3a)
-rw-r--r-- | cinder/policies/group_snapshot_actions.py | 2 | ||||
-rw-r--r-- | releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml | 38 |
2 files changed, 39 insertions, 1 deletions
diff --git a/cinder/policies/group_snapshot_actions.py b/cinder/policies/group_snapshot_actions.py index 6a766d602..e74e0b173 100644 --- a/cinder/policies/group_snapshot_actions.py +++ b/cinder/policies/group_snapshot_actions.py @@ -24,7 +24,7 @@ RESET_STATUS = 'group:reset_group_snapshot_status' group_snapshot_actions_policies = [ policy.DocumentedRuleDefault( name=RESET_STATUS, - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.RULE_ADMIN_API, description="Reset status of group snapshot.", operations=[ { diff --git a/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml b/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml new file mode 100644 index 000000000..f5a227641 --- /dev/null +++ b/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml @@ -0,0 +1,38 @@ +--- +upgrade: + - | + This release contains a fix for `Bug #1908315 + <https://bugs.launchpad.net/cinder/+bug/1908315>`_, which changes the + default value of the policy governing the Block Storage API action + `Reset group snapshot status + <https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status>`_ + to make the action administrator-only. This policy was inadvertently + changed to be admin-or-owner during the Queens development cycle. + + The policy is named ``group:reset_group_snapshot_status``. + + * If you have a custom value for this policy in your cinder policy + configuration file, this change to the default value will not affect + you. + * If you have been aware of this regression and like the current + (incorrect) behavior, you may add the following line to your cinder + policy configuration file to restore that behavior:: + + "group:reset_group_snapshot_status": "rule:admin_or_owner" + + This setting is *not recommended* by the Cinder project team, as it + may allow end users to put a group snapshot into an invalid status with + indeterminate consequences. + + For more information about the cinder policy configuration file, see the + `policy.yaml + <https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html>`_ + section of the Cinder Configuration Guide. +fixes: + - | + `Bug #1908315 <https://bugs.launchpad.net/cinder/+bug/1908315>`_: Corrected + the default checkstring for the ``group:reset_group_snapshot_status`` + policy to make it admin-only. This policy governs the Block Storage API + action `Reset group snapshot status + <https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status>`_, + which by default is supposed to be an adminstrator-only action. |