[ops][cinder] Policy for volume attach/detach

Massimo Sgaravatto massimo.sgaravatto at gmail.com
Mon Apr 27 12:16:38 UTC 2020


Indeed I missed those rules.
After having specified them, it works as expected
Thanks !


On Mon, Apr 27, 2020 at 1:22 PM Rajat Dhasmana <rdhasman at redhat.com> wrote:

> Hi Massimo,
>
> You also need to set these detach policies
>
> "volume_extension:volume_admin_actions:force_detach"
> "volume_extension:volume_actions:detach"
> "volume_extension:volume_actions:begin_detaching"
> "volume_extension:volume_actions:roll_detaching"
>
>
> Thanks and regards
> Rajat Dhasmana
>
> On Mon, Apr 27, 2020 at 4:22 PM Massimo Sgaravatto <
> massimo.sgaravatto at gmail.com> wrote:
>
>> I would like to set a policy so that attachments operations can be done
>> only by the user who created that volume. To do that I created this
>> [*] policy.yaml file.
>>
>> I verified that with such policy file:
>> -  I am able to attach volumes only for the volumes I created
>> - I can attach my volumes also to instances owned by other users
>> - I can not attach volumes belonging to other users to my instances
>>
>> So far so good.
>>
>> But I am allowed to detach any volume from any instance, even if I am not
>> the owner of that volume, and this is not what I want
>>
>> What am I doing wrong ?
>>
>> Thanks, Massimo
>>
>>
>>
>>
>> [*]
>> #
>> # To be used when another member of the same project can't change
>> something
>> # created by another user of the same project
>> "admin_or_user":  "is_admin:True or (role:admin and
>> is_admin_project:True) or user_id:%(user_id)s"
>> # Create attachment.
>> # POST  /attachments
>> "volume:attachment_create": "rule:admin_or_user"
>>
>> # Update attachment.
>> # PUT  /attachments/{attachment_id}
>> "volume:attachment_update": "rule:admin_or_user"
>>
>> # Delete attachment.
>> # DELETE  /attachments/{attachment_id}
>> "volume:attachment_delete": "rule:admin_or_user"
>>
>> # Mark a volume attachment process as completed (in-use)
>> # POST  /attachments/{attachment_id}/action (os-complete)
>> "volume:attachment_complete": "rule:admin_or_user"
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200427/51ba7a35/attachment.html>


More information about the openstack-discuss mailing list