dc0d23daa2
Use https for openstack.org pages since docs.o.o and developer.o.o now have https enabled. Change-Id: Ife353949cf3bcd089eff45628e00116e670ac8a2
1.9 KiB
Policies
Shared File Systems service has its own role-based access policies.
They determine which user can access which objects in which way, and are
defined in the service's policy.json file.
Tip
The configuration file policy.json may be placed
anywhere. The path /etc/manila/policy.json is expected by
default.
Whenever an API call to the Shared File Systems service is made, the policy engine uses the appropriate policy definitions to determine if the call can be accepted.
A policy rule determines under which circumstances the API call is
permitted. The /etc/manila/policy.json file has rules where
action is always permitted, when the rule is an empty string:
""; the rules based on the user role or rules; rules with
boolean expressions. Below is a snippet of the policy.json
file for the Shared File Systems service. From one OpenStack release to
another it can be changed.
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"share_extension:quotas:show": "",
"share_extension:quotas:update": "rule:admin_api",
"share_extension:quotas:delete": "rule:admin_api",
"share_extension:quota_classes": "",
}Users must be assigned to groups and roles that you refer to in your policies. This is done automatically by the service when user management commands are used.
Note
Any changes to /etc/manila/policy.json are effective
immediately, which allows new policies to be implemented while the
Shared File Systems service is running. Manual modification of the
policy can have unexpected side effects and is not encouraged. For
details, see The
policy.json file.