 f738483e84
			
		
	
	f738483e84
	
	
	
		
			
			Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.
When Cinder is doing a volume migration, it calls Nova's swap-volume
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_volume_completion API to signal Nova is done and Cinder
can finish the volume migration.
The problem is that swap-volume is not an admin-only API in Nova
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_volume_completion API, since that requires an
admin user.
Also, because of 98739761f1 we can't
simply avoid calling migrate_volume_completion for non-migration
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.
So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.
Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
Closes-Bug: #1522705
		
	
		
			
				
	
	
		
			9 lines
		
	
	
		
			443 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			9 lines
		
	
	
		
			443 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| upgrade:
 | |
|   - The default policy for updating volume attachments, commonly referred to as
 | |
|     swap volume, has been changed from ``rule:admin_or_owner`` to
 | |
|     ``rule:admin_api``. This is because it is called from the volume service
 | |
|     when migrating volumes, which is an admin-only operation by default, and
 | |
|     requires calling an admin-only API in the volume service upon completion.
 | |
|     So by default it would not work for non-admins.
 |