Reviewed: https://review.openstack.org/449288 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a8fd8731d2e5562c5631d6847d4d781ed0a2e772 Submitter: Jenkins Branch: master
commit a8fd8731d2e5562c5631d6847d4d781ed0a2e772 Author: Rick Bartra <rb5...@att.com> Date: Tue Jul 18 17:38:52 2017 -0400 Add policy granularity to the Flavors API The same policy rule (os_compute_api:os-flavor-manage) is being used for the create and delete actions of the flavors REST API. It is thus impossible to provide different RBAC for the create and delete actions based on roles. To address this, changes are made to have separate policy rules for each action. Most other places in nova (and OpenStack in general) have separate policy rules for each action. This affords the ultimate flexibility to deployers, who can obviously use the same rule if that is what they want. To address backwards compatibility, the new rules added to the flavor_manage.py policy file, default to the existing rule (os_compute_api:os-flavor-manage). That way across upgrades this should ensure if an existing admin has customised the rule, it keeps working, but folks that know about the new setting can override the default rule. In addtion, a verify_deprecated_policy method is added to see if the old policy action is being configured instead of the new actions. Closes-Bug: #1675147 Co-Authored-By: Felipe Monteiro <felipe.monte...@att.com> Change-Id: Ic67b52ebac3a47e9fb7e3c0d6c3ce8a6bc539e11 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1675147 Title: Compute flavor management not granular enough by policy and code Status in OpenStack Compute (nova): Fix Released Bug description: We need the Nova policy and code to support more granularity (i.e. Create/Delete) for Flavor management. Current policy check only checks os_compute_api:os-flavor-manage and action(s) are missing in the nova policy-in-code. Each API should have its own policy action that it checks. The new policy checks should be added here: https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/flavor_manage.py Additional policy actions should be added here: https://github.com/openstack/nova/blob/master/nova/policies/flavor_manage.py To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1675147/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp