[Openstack] Cinder policy.json
Adam Young
ayoung at redhat.com
Tue May 16 15:11:31 UTC 2017
On 05/09/2017 06:39 AM, chagg at foxmail.com wrote:
> Hello:
> I want every one can access a volume I created in cinder as admin,
> so I changed /etc/cinder/policy.json as bellow, but it won't work.
> Why? And how to do it?
> Thanks!
> policy.json
So, debugging policy is a pain. What operation specifically fails?
You also might want to make the default into something more specific,
such as "check that the project matches and the user has either the
Member or admin role" Or, if you just want it to always pass, you can
make it a true check.
"default": "",
>
>
> {
> "context_is_admin": "role:admin",
> "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
> "default": "",
>
> "admin_api": "is_admin:True",
>
> "volume:create": "",
> "volume:delete": "",
> "volume:get": "",
> "volume:get_all": "",
> "volume:get_volume_metadata": "",
> "volume:delete_volume_metadata": "",
> "volume:update_volume_metadata": "",
> "volume:get_volume_admin_metadata": "rule:admin_api",
> "volume:update_volume_admin_metadata": "rule:admin_api",
> "volume:get_snapshot": "",
> "volume:get_all_snapshots": "",
> "volume:create_snapshot": "",
> "volume:delete_snapshot": "",
> "volume:update_snapshot": "",
> "volume:extend": "",
> "volume:update_readonly_flag": "",
> "volume:retype": "",
> "volume:update": "",
>
> "volume_extension:types_manage": "rule:admin_api",
> "volume_extension:types_extra_specs": "rule:admin_api",
> "volume_extension:access_types_qos_specs_id": "rule:admin_api",
> "volume_extension:access_types_extra_specs": "rule:admin_api",
> "volume_extension:volume_type_access": "",
> "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
> "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
> "volume_extension:volume_type_encryption": "rule:admin_api",
> "volume_extension:volume_encryption_metadata": "",
> "volume_extension:extended_snapshot_attributes": "",
> "volume_extension:volume_image_metadata": "",
>
> "volume_extension:quotas:show": "",
> "volume_extension:quotas:update": "rule:admin_api",
> "volume_extension:quotas:delete": "rule:admin_api",
> "volume_extension:quota_classes": "rule:admin_api",
> "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
>
> "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
> "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
> "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
> "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
> "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
> "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
> "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
> "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
> "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
>
> "volume_extension:volume_host_attribute": "rule:admin_api",
> "volume_extension:volume_tenant_attribute": "",
> "volume_extension:volume_mig_status_attribute": "rule:admin_api",
> "volume_extension:hosts": "rule:admin_api",
> "volume_extension:services:index": "rule:admin_api",
> "volume_extension:services:update" : "rule:admin_api",
>
> "volume_extension:volume_manage": "rule:admin_api",
> "volume_extension:volume_unmanage": "rule:admin_api",
>
> "volume_extension:capabilities": "rule:admin_api",
>
> "volume:create_transfer": "",
> "volume:accept_transfer": "",
> "volume:delete_transfer": "",
> "volume:get_all_transfers": "",
>
> "volume_extension:replication:promote": "rule:admin_api",
> "volume_extension:replication:reenable": "rule:admin_api",
>
> "volume:enable_replication": "rule:admin_api",
> "volume:disable_replication": "rule:admin_api",
> "volume:failover_replication": "rule:admin_api",
> "volume:list_replication_targets": "rule:admin_api",
>
> "backup:create" : "",
> "backup:delete": "",
> "backup:get": "",
> "backup:get_all": "",
> "backup:restore": "",
> "backup:backup-import": "rule:admin_api",
> "backup:backup-export": "rule:admin_api",
>
> "snapshot_extension:snapshot_actions:update_snapshot_status": "",
> "snapshot_extension:snapshot_manage": "rule:admin_api",
> "snapshot_extension:snapshot_unmanage": "rule:admin_api",
>
> "consistencygroup:create" : "group:nobody",
> "consistencygroup:delete": "group:nobody",
> "consistencygroup:update": "group:nobody",
> "consistencygroup:get": "group:nobody",
> "consistencygroup:get_all": "group:nobody",
>
> "consistencygroup:create_cgsnapshot" : "group:nobody",
> "consistencygroup:delete_cgsnapshot": "group:nobody",
> "consistencygroup:get_cgsnapshot": "group:nobody",
> "consistencygroup:get_all_cgsnapshots": "group:nobody",
>
> "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api"
> }
>
> ------------------------------------------------------------------------
> chagg at foxmail.com
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170516/025e50ad/attachment.html>
More information about the Openstack
mailing list