From 21c478b9c84193557ba157e93a6a9e70784f9094 Mon Sep 17 00:00:00 2001 From: Rajat Dhasmana Date: Wed, 19 Feb 2025 03:55:40 +0530 Subject: [PATCH] Add support for service role in discovery API The stores detail API used to only accepts request from admin users. This patch modifies the policy to handle service to service interaction to let other services (like cinder) use the information for optimization use cases. Change-Id: If193866b21bba1100d1e2ee7ffc2e3bd45474c05 --- glance/policies/base.py | 3 +++ glance/policies/discovery.py | 8 ++++++-- ...dd-service-role-to-discovery-e37eb2fd74ed20ef.yaml | 11 +++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-service-role-to-discovery-e37eb2fd74ed20ef.yaml diff --git a/glance/policies/base.py b/glance/policies/base.py index c2f2df933f..b6fffc15a4 100644 --- a/glance/policies/base.py +++ b/glance/policies/base.py @@ -89,6 +89,9 @@ SERVICE_OR_PROJECT_MEMBER = ( ) SERVICE = 'rule:service_api' +SERVICE_ROLE = 'service_roles:service' + +ADMIN_OR_SERVICE_ROLE = f'{ADMIN} or {SERVICE_ROLE}' rules = [ policy.RuleDefault(name='default', check_str='', diff --git a/glance/policies/discovery.py b/glance/policies/discovery.py index a7a73281b3..98d2949887 100644 --- a/glance/policies/discovery.py +++ b/glance/policies/discovery.py @@ -20,13 +20,17 @@ from glance.policies import base discovery_policies = [ policy.DocumentedRuleDefault( name="stores_info_detail", - check_str=base.ADMIN, + check_str=base.ADMIN_OR_SERVICE_ROLE, scope_types=['project'], description='Expose store specific information', operations=[ {'path': '/v2/info/stores/detail', 'method': 'GET'} - ] + ], + deprecated_rule=policy.DeprecatedRule( + name="stores_info_detail", check_str=base.ADMIN, + deprecated_reason="Stores info detail now supports service role.", + deprecated_since="2025.1"), ), ] diff --git a/releasenotes/notes/add-service-role-to-discovery-e37eb2fd74ed20ef.yaml b/releasenotes/notes/add-service-role-to-discovery-e37eb2fd74ed20ef.yaml new file mode 100644 index 0000000000..1531aebb2a --- /dev/null +++ b/releasenotes/notes/add-service-role-to-discovery-e37eb2fd74ed20ef.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The ``stores_info_detail`` policy has deprecated the rule + ``rule:context_is_admin`` in favor of ``rule:context_is_admin AND + service_roles:service`` to allow service to service interaction. +deprecations: + - | + The ``stores_info_detail`` policy has deprecated the rule + ``rule:context_is_admin`` in favor of ``rule:context_is_admin AND + service_roles:service`` to allow service to service interaction.