Open Stack

On 05/09/2017 06:39 AM, chagg at foxmail.com wrote:
> Hello:
>     I want every one can access a volume I created in cinder as admin, 
> so I changed /etc/cinder/policy.json as bellow, but it won't work. 
> Why? And how to do it?
> Thanks!
> policy.json

So, debugging policy is a pain.  What operation specifically fails?
You also might want to make the default into something more specific, 
such as "check that the project matches and the user has either the 
Member or admin role"  Or, if you just want it to always pass, you can 
make it a true check.


"default": "",



>
>
> {
>     "context_is_admin": "role:admin",
>     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
>     "default": "",
>
>     "admin_api": "is_admin:True",
>
>     "volume:create": "",
>     "volume:delete": "",
>     "volume:get": "",
>     "volume:get_all": "",
>     "volume:get_volume_metadata": "",
>     "volume:delete_volume_metadata": "",
>     "volume:update_volume_metadata": "",
>     "volume:get_volume_admin_metadata": "rule:admin_api",
>     "volume:update_volume_admin_metadata": "rule:admin_api",
>     "volume:get_snapshot": "",
>     "volume:get_all_snapshots": "",
>     "volume:create_snapshot": "",
>     "volume:delete_snapshot": "",
>     "volume:update_snapshot": "",
>     "volume:extend": "",
>     "volume:update_readonly_flag": "",
>     "volume:retype": "",
>     "volume:update": "",
>
>     "volume_extension:types_manage": "rule:admin_api",
>     "volume_extension:types_extra_specs": "rule:admin_api",
>     "volume_extension:access_types_qos_specs_id": "rule:admin_api",
>     "volume_extension:access_types_extra_specs": "rule:admin_api",
>     "volume_extension:volume_type_access": "",
>     "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
>     "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
>     "volume_extension:volume_type_encryption": "rule:admin_api",
>     "volume_extension:volume_encryption_metadata": "",
>     "volume_extension:extended_snapshot_attributes": "",
>     "volume_extension:volume_image_metadata": "",
>
>     "volume_extension:quotas:show": "",
>     "volume_extension:quotas:update": "rule:admin_api",
>     "volume_extension:quotas:delete": "rule:admin_api",
>     "volume_extension:quota_classes": "rule:admin_api",
>     "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
>
>     "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
>     "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
>     "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
>     "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
>     "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
>     "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
>     "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
>     "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
>     "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
>
>     "volume_extension:volume_host_attribute": "rule:admin_api",
>     "volume_extension:volume_tenant_attribute": "",
>     "volume_extension:volume_mig_status_attribute": "rule:admin_api",
>     "volume_extension:hosts": "rule:admin_api",
>     "volume_extension:services:index": "rule:admin_api",
>     "volume_extension:services:update" : "rule:admin_api",
>
>     "volume_extension:volume_manage": "rule:admin_api",
>     "volume_extension:volume_unmanage": "rule:admin_api",
>
>     "volume_extension:capabilities": "rule:admin_api",
>
>     "volume:create_transfer": "",
>     "volume:accept_transfer": "",
>     "volume:delete_transfer": "",
>     "volume:get_all_transfers": "",
>
>     "volume_extension:replication:promote": "rule:admin_api",
>     "volume_extension:replication:reenable": "rule:admin_api",
>
>     "volume:enable_replication": "rule:admin_api",
>     "volume:disable_replication": "rule:admin_api",
>     "volume:failover_replication": "rule:admin_api",
>     "volume:list_replication_targets": "rule:admin_api",
>
>     "backup:create" : "",
>     "backup:delete": "",
>     "backup:get": "",
>     "backup:get_all": "",
>     "backup:restore": "",
>     "backup:backup-import": "rule:admin_api",
>     "backup:backup-export": "rule:admin_api",
>
>     "snapshot_extension:snapshot_actions:update_snapshot_status": "",
>     "snapshot_extension:snapshot_manage": "rule:admin_api",
>     "snapshot_extension:snapshot_unmanage": "rule:admin_api",
>
>     "consistencygroup:create" : "group:nobody",
>     "consistencygroup:delete": "group:nobody",
>     "consistencygroup:update": "group:nobody",
>     "consistencygroup:get": "group:nobody",
>     "consistencygroup:get_all": "group:nobody",
>
>     "consistencygroup:create_cgsnapshot" : "group:nobody",
>     "consistencygroup:delete_cgsnapshot": "group:nobody",
>     "consistencygroup:get_cgsnapshot": "group:nobody",
>     "consistencygroup:get_all_cgsnapshots": "group:nobody",
>
>     "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api"
> }
>
> ------------------------------------------------------------------------
> chagg at foxmail.com
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170516/025e50ad/attachment.html>