diff options
Diffstat (limited to 'nova/policies/assisted_volume_snapshots.py')
-rw-r--r-- | nova/policies/assisted_volume_snapshots.py | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/nova/policies/assisted_volume_snapshots.py b/nova/policies/assisted_volume_snapshots.py index ed919076b4..98a67a8e37 100644 --- a/nova/policies/assisted_volume_snapshots.py +++ b/nova/policies/assisted_volume_snapshots.py @@ -24,7 +24,14 @@ POLICY_ROOT = 'os_compute_api:os-assisted-volume-snapshots:%s' assisted_volume_snapshots_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.SYSTEM_ADMIN, + # TODO(gmann): This is internal API policy and called by + # cinder. Add 'service' role in this policy so that cinder + # can call it with user having 'service' role (not having + # correct project_id). That is for phase-2 of RBAC goal and until + # then, we keep it open for all admin in any project. We cannot + # default it to ADMIN which has the project_id in + # check_str and will fail if cinder call it with other project_id. + check_str=base.ADMIN, description="Create an assisted volume snapshot", operations=[ { @@ -32,10 +39,17 @@ assisted_volume_snapshots_policies = [ 'method': 'POST' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.SYSTEM_ADMIN, + # TODO(gmann): This is internal API policy and called by + # cinder. Add 'service' role in this policy so that cinder + # can call it with user having 'service' role (not having + # correct project_id). That is for phase-2 of RBAC goal and until + # then, we keep it open for all admin in any project. We cannot + # default it to ADMIN which has the project_id in + # check_str and will fail if cinder call it with other project_id. + check_str=base.ADMIN, description="Delete an assisted volume snapshot", operations=[ { @@ -43,7 +57,7 @@ assisted_volume_snapshots_policies = [ 'method': 'DELETE' } ], - scope_types=['system']), + scope_types=['project']), ] |