[ops][cinder] Policy for volume attach/detach
I would like to set a policy so that attachments operations can be done only by the user who created that volume. To do that I created this [*] policy.yaml file. I verified that with such policy file: - I am able to attach volumes only for the volumes I created - I can attach my volumes also to instances owned by other users - I can not attach volumes belonging to other users to my instances So far so good. But I am allowed to detach any volume from any instance, even if I am not the owner of that volume, and this is not what I want What am I doing wrong ? Thanks, Massimo [*] # # To be used when another member of the same project can't change something # created by another user of the same project "admin_or_user": "is_admin:True or (role:admin and is_admin_project:True) or user_id:%(user_id)s" # Create attachment. # POST /attachments "volume:attachment_create": "rule:admin_or_user" # Update attachment. # PUT /attachments/{attachment_id} "volume:attachment_update": "rule:admin_or_user" # Delete attachment. # DELETE /attachments/{attachment_id} "volume:attachment_delete": "rule:admin_or_user" # Mark a volume attachment process as completed (in-use) # POST /attachments/{attachment_id}/action (os-complete) "volume:attachment_complete": "rule:admin_or_user"
Hi Massimo, You also need to set these detach policies "volume_extension:volume_admin_actions:force_detach" "volume_extension:volume_actions:detach" "volume_extension:volume_actions:begin_detaching" "volume_extension:volume_actions:roll_detaching" Thanks and regards Rajat Dhasmana On Mon, Apr 27, 2020 at 4:22 PM Massimo Sgaravatto < massimo.sgaravatto@gmail.com> wrote:
I would like to set a policy so that attachments operations can be done only by the user who created that volume. To do that I created this [*] policy.yaml file.
I verified that with such policy file: - I am able to attach volumes only for the volumes I created - I can attach my volumes also to instances owned by other users - I can not attach volumes belonging to other users to my instances
So far so good.
But I am allowed to detach any volume from any instance, even if I am not the owner of that volume, and this is not what I want
What am I doing wrong ?
Thanks, Massimo
[*] # # To be used when another member of the same project can't change something # created by another user of the same project "admin_or_user": "is_admin:True or (role:admin and is_admin_project:True) or user_id:%(user_id)s" # Create attachment. # POST /attachments "volume:attachment_create": "rule:admin_or_user"
# Update attachment. # PUT /attachments/{attachment_id} "volume:attachment_update": "rule:admin_or_user"
# Delete attachment. # DELETE /attachments/{attachment_id} "volume:attachment_delete": "rule:admin_or_user"
# Mark a volume attachment process as completed (in-use) # POST /attachments/{attachment_id}/action (os-complete) "volume:attachment_complete": "rule:admin_or_user"
Indeed I missed those rules. After having specified them, it works as expected Thanks ! On Mon, Apr 27, 2020 at 1:22 PM Rajat Dhasmana <rdhasman@redhat.com> wrote:
Hi Massimo,
You also need to set these detach policies
"volume_extension:volume_admin_actions:force_detach" "volume_extension:volume_actions:detach" "volume_extension:volume_actions:begin_detaching" "volume_extension:volume_actions:roll_detaching"
Thanks and regards Rajat Dhasmana
On Mon, Apr 27, 2020 at 4:22 PM Massimo Sgaravatto < massimo.sgaravatto@gmail.com> wrote:
I would like to set a policy so that attachments operations can be done only by the user who created that volume. To do that I created this [*] policy.yaml file.
I verified that with such policy file: - I am able to attach volumes only for the volumes I created - I can attach my volumes also to instances owned by other users - I can not attach volumes belonging to other users to my instances
So far so good.
But I am allowed to detach any volume from any instance, even if I am not the owner of that volume, and this is not what I want
What am I doing wrong ?
Thanks, Massimo
[*] # # To be used when another member of the same project can't change something # created by another user of the same project "admin_or_user": "is_admin:True or (role:admin and is_admin_project:True) or user_id:%(user_id)s" # Create attachment. # POST /attachments "volume:attachment_create": "rule:admin_or_user"
# Update attachment. # PUT /attachments/{attachment_id} "volume:attachment_update": "rule:admin_or_user"
# Delete attachment. # DELETE /attachments/{attachment_id} "volume:attachment_delete": "rule:admin_or_user"
# Mark a volume attachment process as completed (in-use) # POST /attachments/{attachment_id}/action (os-complete) "volume:attachment_complete": "rule:admin_or_user"
participants (2)
-
Massimo Sgaravatto
-
Rajat Dhasmana