f8d0b2ee98
Fixing the review comments from - https://review.opendev.org/c/openstack/nova/+/953063 Implement blueprint policy-manager-role-default Change-Id: Idf376d9bd2eea981206738d0217ddc578875b280 Signed-off-by: Ghanshyam Maan <gmaan@ghanshyammann.com>
114 lines
4.4 KiB
YAML
114 lines
4.4 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Nova now supports a new default role ``manager``. This role is part of the
|
|
standard role hierarchy supported by keystone. A new persona, the
|
|
``project_manager``, is denoted by someone with the ``manager`` role on a
|
|
specific project. The ``project_manager`` persona is intended to perform
|
|
more privileged operations than a ``project_member`` while granting less
|
|
access than the global admin role. This brings the total set of personas
|
|
currently supported by Nova to:
|
|
|
|
* ``admin``
|
|
* ``project_manager``
|
|
* ``project_member``
|
|
* ``project_reader``
|
|
|
|
To avoid any change in ``admin`` permissions, Nova uses
|
|
``PROJECT_MANAGER_OR_ADMIN`` as a default where manager access is granted.
|
|
In this release, the below APIs policy are newly defaulted to
|
|
``PROJECT_MANAGER_OR_ADMIN``:
|
|
|
|
- ``os_compute_api:os-migrate-server:migrate`` (Cold migrate a server
|
|
without specifying a host)
|
|
- ``os_compute_api:os-migrate-server:migrate_live`` (live migrate server
|
|
without specifying host)
|
|
- ``os_compute_api:os-migrations:index`` (List migrations without host
|
|
info)
|
|
- ``os_compute_api:servers:migrations:index`` (Lists in-progress live
|
|
migrations for a given server without host info)
|
|
- ``os_compute_api:servers:migrations:force_complete`` (Force an
|
|
in-progress live migration for a given server)
|
|
- ``os_compute_api:servers:migrations:delete`` (Delete(Abort) an
|
|
in-progress live migration)
|
|
|
|
In addition, a number of new, more granular policies are introduced to
|
|
allow us to use the ``project_manager`` persona in migration APIs:
|
|
|
|
* Live migration:
|
|
|
|
- Existing policy is used when live migrating server without specifying
|
|
host:
|
|
|
|
- ``os_compute_api:os-migrate-server:migrate_live`` (live migrate
|
|
server without specifying host)
|
|
- Default: ``PROJECT_MANAGER_OR_ADMIN``
|
|
|
|
- New policy is used when live migrate server to a specific host:
|
|
|
|
- ``os_compute_api:os-migrate-server:migrate_live:host`` (live migrate
|
|
server to a specific host)
|
|
- Default: ``ADMIN``
|
|
|
|
* List server migration:
|
|
|
|
- Existing policy is used to list live migrations without host info:
|
|
|
|
- ``os_compute_api:servers:migrations:index`` (Lists in-progress live
|
|
migrations for a given server)
|
|
- Default: ``PROJECT_MANAGER_OR_ADMIN``
|
|
|
|
- New policy is used to host info in live migrations list:
|
|
|
|
- ``os_compute_api:servers:migrations:index:host`` (Lists in-progress
|
|
live migrations for a given server with host info)
|
|
- Default: ``ADMIN``
|
|
|
|
* List migration:
|
|
|
|
- Existing policy is used to list live migrations without host info:
|
|
|
|
- ``os_compute_api:os-migrations:index`` (List migrations without
|
|
host info)
|
|
- Default: ``PROJECT_MANAGER_OR_ADMIN``
|
|
|
|
- New policy is used to host info in live migrations list:
|
|
|
|
- ``os_compute_api:os-migrations:index:all_projects`` (List migrations
|
|
for all or cross projects)
|
|
- Default: ``ADMIN``
|
|
- ``os_compute_api:os-migrations:index:host`` (List migrations
|
|
with host info)
|
|
- Default: ``ADMIN``
|
|
|
|
Scope checks and new defaults are enabled by default and it is recommended
|
|
to use new defaults. However, if your deployment needs more time then you
|
|
can disable them by switching the below config option in ``nova.conf`` file.:
|
|
|
|
[oslo_policy]
|
|
enforce_new_defaults=False
|
|
enforce_scope=False
|
|
|
|
Please refer `Policy New Defaults`_ for detail about policy new defaults.
|
|
|
|
.. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html
|
|
upgrade:
|
|
- |
|
|
New policies are added to the live migration APIs with the same default.
|
|
If you are using default policy, then no action is needed, but if you have
|
|
overridden the existing live migration policies in your deployment, you
|
|
must include the new policy with the same permissions.
|
|
|
|
- Existing policy:
|
|
|
|
- ``os_compute_api:os-migrate-server:migrate_live``
|
|
- ``os_compute_api:servers:migrations::index``
|
|
- ``os_compute_api:os-migrations:index``
|
|
|
|
- New policy:
|
|
|
|
- ``os_compute_api:os-migrate-server:migrate_live:host``
|
|
- ``os_compute_api:servers:migrations:index:host``
|
|
- ``os_compute_api:os-migrations:index:all_projects``
|
|
- ``os_compute_api:os-migrations:index:host``
|