[policy in code] Add support for snapshot resource
This patch adds policy in code support for snapshot resources and depends on the basic patch [1]. [1]: https://review.openstack.org/#/c/506976/ Change-Id: I8e1b544f510c1a0af30a5a0b672578226c9fd315 Partial-Implements: blueprint policy-in-code
This commit is contained in:
parent
bb3569a3f5
commit
d5d0705343
@ -79,6 +79,15 @@ class AdminController(wsgi.Controller):
|
||||
return update
|
||||
|
||||
def authorize(self, context, action_name):
|
||||
# NOTE(tommylikehu): We have two different ways to authorize during
|
||||
# implementing code base policies, the if/else statement can be
|
||||
# removed when all resources are upgraded.
|
||||
if self.resource_name in ['snapshot']:
|
||||
context.authorize(
|
||||
'volume_extension:%(resource)s_admin_actions:%(action)s' %
|
||||
{'resource': self.resource_name,
|
||||
'action': action_name})
|
||||
else:
|
||||
# e.g. "snapshot_admin_actions:reset_status"
|
||||
action = '%s_admin_actions:%s' % (self.resource_name, action_name)
|
||||
extensions.extension_authorizer('volume', action)(context)
|
||||
|
@ -16,11 +16,7 @@
|
||||
|
||||
from cinder.api import extensions
|
||||
from cinder.api.openstack import wsgi
|
||||
|
||||
|
||||
authorize = extensions.soft_extension_authorizer(
|
||||
'volume',
|
||||
'extended_snapshot_attributes')
|
||||
from cinder.policies import snapshots as policy
|
||||
|
||||
|
||||
class ExtendedSnapshotAttributesController(wsgi.Controller):
|
||||
@ -33,7 +29,7 @@ class ExtendedSnapshotAttributesController(wsgi.Controller):
|
||||
@wsgi.extends
|
||||
def show(self, req, resp_obj, id):
|
||||
context = req.environ['cinder.context']
|
||||
if authorize(context):
|
||||
if context.authorize(policy.EXTEND_ATTRIBUTE):
|
||||
# Attach our slave template to the response object
|
||||
snapshot = resp_obj.obj['snapshot']
|
||||
self._extend_snapshot(req, snapshot)
|
||||
@ -41,7 +37,7 @@ class ExtendedSnapshotAttributesController(wsgi.Controller):
|
||||
@wsgi.extends
|
||||
def detail(self, req, resp_obj):
|
||||
context = req.environ['cinder.context']
|
||||
if authorize(context):
|
||||
if context.authorize(policy.EXTEND_ATTRIBUTE):
|
||||
# Attach our slave template to the response object
|
||||
for snapshot in list(resp_obj.obj['snapshots']):
|
||||
self._extend_snapshot(req, snapshot)
|
||||
|
@ -21,15 +21,10 @@ from cinder.api.openstack import wsgi
|
||||
from cinder.i18n import _
|
||||
from cinder import objects
|
||||
from cinder.objects import fields
|
||||
|
||||
from cinder.policies import snapshot_actions as policy
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def authorize(context, action_name):
|
||||
action = 'snapshot_actions:%s' % action_name
|
||||
extensions.extension_authorizer('snapshot', action)(context)
|
||||
|
||||
|
||||
class SnapshotActionsController(wsgi.Controller):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super(SnapshotActionsController, self).__init__(*args, **kwargs)
|
||||
@ -45,7 +40,7 @@ class SnapshotActionsController(wsgi.Controller):
|
||||
"""
|
||||
|
||||
context = req.environ['cinder.context']
|
||||
authorize(context, 'update_snapshot_status')
|
||||
context.authorize(policy.UPDATE_STATUS_POLICY)
|
||||
|
||||
LOG.debug("body: %s", body)
|
||||
try:
|
||||
|
@ -22,13 +22,10 @@ from cinder.api.openstack import wsgi
|
||||
from cinder.api.views import manageable_snapshots as list_manageable_view
|
||||
from cinder.api.views import snapshots as snapshot_views
|
||||
from cinder.i18n import _
|
||||
from cinder.policies import manageable_snapshots as policy
|
||||
from cinder import volume as cinder_volume
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
authorize_manage = extensions.extension_authorizer('snapshot',
|
||||
'snapshot_manage')
|
||||
authorize_list_manageable = extensions.extension_authorizer('snapshot',
|
||||
'list_manageable')
|
||||
|
||||
|
||||
class SnapshotManageController(wsgi.Controller):
|
||||
@ -86,7 +83,7 @@ class SnapshotManageController(wsgi.Controller):
|
||||
|
||||
"""
|
||||
context = req.environ['cinder.context']
|
||||
authorize_manage(context)
|
||||
context.authorize(policy.MANAGE_POLICY)
|
||||
|
||||
if not self.is_valid_body(body, 'snapshot'):
|
||||
msg = _("Missing required element snapshot in request body.")
|
||||
@ -130,7 +127,7 @@ class SnapshotManageController(wsgi.Controller):
|
||||
def index(self, req):
|
||||
"""Returns a summary list of snapshots available to manage."""
|
||||
context = req.environ['cinder.context']
|
||||
authorize_list_manageable(context)
|
||||
context.authorize(policy.LIST_MANAGEABLE_POLICY)
|
||||
return resource_common_manage.get_manageable_resources(
|
||||
req, False, self.volume_api.get_manageable_snapshots,
|
||||
self._list_manageable_view)
|
||||
@ -139,7 +136,7 @@ class SnapshotManageController(wsgi.Controller):
|
||||
def detail(self, req):
|
||||
"""Returns a detailed list of snapshots available to manage."""
|
||||
context = req.environ['cinder.context']
|
||||
authorize_list_manageable(context)
|
||||
context.authorize(policy.LIST_MANAGEABLE_POLICY)
|
||||
return resource_common_manage.get_manageable_resources(
|
||||
req, True, self.volume_api.get_manageable_snapshots,
|
||||
self._list_manageable_view)
|
||||
|
@ -20,10 +20,10 @@ from webob import exc
|
||||
from cinder.api import extensions
|
||||
from cinder.api.openstack import wsgi
|
||||
from cinder import exception
|
||||
from cinder.policies import manageable_snapshots as policy
|
||||
from cinder import volume
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
authorize = extensions.extension_authorizer('snapshot', 'snapshot_unmanage')
|
||||
|
||||
|
||||
class SnapshotUnmanageController(wsgi.Controller):
|
||||
@ -46,7 +46,7 @@ class SnapshotUnmanageController(wsgi.Controller):
|
||||
A Not Found error is returned if the specified snapshot does not exist.
|
||||
"""
|
||||
context = req.environ['cinder.context']
|
||||
authorize(context)
|
||||
context.authorize(policy.UNMANAGE_POLICY)
|
||||
|
||||
LOG.info("Unmanage snapshot with id: %s", id)
|
||||
|
||||
|
@ -18,7 +18,11 @@ import itertools
|
||||
from cinder.policies import attachments
|
||||
from cinder.policies import base
|
||||
from cinder.policies import clusters
|
||||
from cinder.policies import manageable_snapshots
|
||||
from cinder.policies import messages
|
||||
from cinder.policies import snapshot_actions
|
||||
from cinder.policies import snapshot_metadata
|
||||
from cinder.policies import snapshots
|
||||
from cinder.policies import workers
|
||||
|
||||
|
||||
@ -28,5 +32,9 @@ def list_rules():
|
||||
attachments.list_rules(),
|
||||
messages.list_rules(),
|
||||
clusters.list_rules(),
|
||||
workers.list_rules()
|
||||
workers.list_rules(),
|
||||
snapshot_metadata.list_rules(),
|
||||
snapshots.list_rules(),
|
||||
snapshot_actions.list_rules(),
|
||||
manageable_snapshots.list_rules(),
|
||||
)
|
||||
|
65
cinder/policies/manageable_snapshots.py
Normal file
65
cinder/policies/manageable_snapshots.py
Normal file
@ -0,0 +1,65 @@
|
||||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from cinder.policies import base
|
||||
|
||||
|
||||
MANAGE_POLICY = 'snapshot_extension:snapshot_manage'
|
||||
UNMANAGE_POLICY = 'snapshot_extension:snapshot_unmanage'
|
||||
LIST_MANAGEABLE_POLICY = 'snapshot_extension:list_manageable'
|
||||
|
||||
manageable_snapshots_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=LIST_MANAGEABLE_POLICY,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description=
|
||||
"List (in detail) of snapshots which are available to manage.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/manageable_snapshots'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/manageable_snapshots/detail'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=MANAGE_POLICY,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Manage an existing snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/manageable_snapshots'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=UNMANAGE_POLICY,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Stop managing a snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/snapshots/{snapshot_id}/action (os-unmanage)'
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return manageable_snapshots_policies
|
62
cinder/policies/snapshot_actions.py
Normal file
62
cinder/policies/snapshot_actions.py
Normal file
@ -0,0 +1,62 @@
|
||||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from cinder.policies import base
|
||||
|
||||
|
||||
RESET_STATUS_POLICY = 'volume_extension:snapshot_admin_actions:reset_status'
|
||||
FORCE_DELETE_POLICY = 'volume_extension:snapshot_admin_actions:force_delete'
|
||||
UPDATE_STATUS_POLICY = \
|
||||
'snapshot_extension:snapshot_actions:update_snapshot_status'
|
||||
|
||||
snapshot_actions_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=RESET_STATUS_POLICY,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Reset status of a snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/snapshots/{snapshot_id}/action (os-reset_status)'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=UPDATE_STATUS_POLICY,
|
||||
check_str="",
|
||||
description="Update database fields of snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/snapshots/{snapshot_id}/action '
|
||||
'(update_snapshot_status)'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FORCE_DELETE_POLICY,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Force delete a snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/snapshots/{snapshot_id}/action (os-force_delete)'
|
||||
}
|
||||
])
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return snapshot_actions_policies
|
72
cinder/policies/snapshot_metadata.py
Normal file
72
cinder/policies/snapshot_metadata.py
Normal file
@ -0,0 +1,72 @@
|
||||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from cinder.policies import base
|
||||
|
||||
|
||||
GET_POLICY = 'volume:get_snapshot_metadata'
|
||||
DELETE_POLICY = 'volume:delete_snapshot_metadata'
|
||||
UPDATE_POLICY = 'volume:update_snapshot_metadata'
|
||||
|
||||
|
||||
snapshot_metadata_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Show snapshot's metadata or one specified metadata "
|
||||
"with a given key.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots/{snapshot_id}/metadata'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots/{snapshot_id}/metadata/{key}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=UPDATE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Update snapshot's metadata or one specified "
|
||||
"metadata with a given key.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/snapshots/{snapshot_id}/metadata'
|
||||
},
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/snapshots/{snapshot_id}/metadata/{key}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=DELETE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Delete snapshot's specified metadata "
|
||||
"with a given key.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/snapshots/{snapshot_id}/metadata/{key}'
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return snapshot_metadata_policies
|
103
cinder/policies/snapshots.py
Normal file
103
cinder/policies/snapshots.py
Normal file
@ -0,0 +1,103 @@
|
||||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from cinder.policies import base
|
||||
|
||||
|
||||
BASE_POLICY_NAME = 'volume:snapshots:%s'
|
||||
GET_POLICY = 'volume:get_snapshot'
|
||||
GET_ALL_POLICY = 'volume:get_all_snapshots'
|
||||
CREATE_POLICY = 'volume:create_snapshot'
|
||||
DELETE_POLICY = 'volume:delete_snapshot'
|
||||
UPDATE_POLICY = 'volume:update_snapshot'
|
||||
EXTEND_ATTRIBUTE = 'volume_extension:extended_snapshot_attributes'
|
||||
|
||||
|
||||
snapshots_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_ALL_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="List snapshots.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots/detail'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EXTEND_ATTRIBUTE,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="List snapshots with extended attributes.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots/detail'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CREATE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Create snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/snapshots'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Show snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/snapshots/{snapshot_id}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=UPDATE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Update snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/snapshots/{snapshot_id}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=DELETE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Delete snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/snapshots/{snapshot_id}'
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return snapshots_policies
|
@ -44,11 +44,9 @@
|
||||
"volume:thaw_host": "rule:admin_api",
|
||||
"volume:revert_to_snapshot": "",
|
||||
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
|
||||
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
|
||||
"volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
|
||||
"volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
|
||||
"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
|
||||
@ -91,11 +89,6 @@
|
||||
|
||||
"limits_extension:used_limits": "",
|
||||
|
||||
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
|
||||
"snapshot_extension:snapshot_manage": "rule:admin_api",
|
||||
"snapshot_extension:snapshot_unmanage": "rule:admin_api",
|
||||
"snapshot_extension:list_manageable": "rule:admin_api",
|
||||
|
||||
"volume:create_transfer": "",
|
||||
"volume:accept_transfer": "",
|
||||
"volume:delete_transfer": "",
|
||||
|
@ -44,6 +44,8 @@ from cinder import objects
|
||||
from cinder.objects import base as objects_base
|
||||
from cinder.objects import fields
|
||||
from cinder.policies import attachments as attachment_policy
|
||||
from cinder.policies import snapshot_metadata as s_meta_policy
|
||||
from cinder.policies import snapshots as snapshot_policy
|
||||
import cinder.policy
|
||||
from cinder import quota
|
||||
from cinder import quota_utils
|
||||
@ -624,7 +626,7 @@ class API(base.Base):
|
||||
return volumes
|
||||
|
||||
def get_snapshot(self, context, snapshot_id):
|
||||
check_policy(context, 'get_snapshot')
|
||||
context.authorize(snapshot_policy.GET_POLICY)
|
||||
snapshot = objects.Snapshot.get_by_id(context, snapshot_id)
|
||||
|
||||
# FIXME(jdg): The objects don't have the db name entries
|
||||
@ -643,7 +645,7 @@ class API(base.Base):
|
||||
def get_all_snapshots(self, context, search_opts=None, marker=None,
|
||||
limit=None, sort_keys=None, sort_dirs=None,
|
||||
offset=None):
|
||||
check_policy(context, 'get_all_snapshots')
|
||||
context.authorize(snapshot_policy.GET_ALL_POLICY)
|
||||
|
||||
search_opts = search_opts or {}
|
||||
|
||||
@ -827,7 +829,7 @@ class API(base.Base):
|
||||
cgsnapshot_id,
|
||||
commit_quota=True,
|
||||
group_snapshot_id=None):
|
||||
check_policy(context, 'create_snapshot', volume)
|
||||
context.authorize(snapshot_policy.CREATE_POLICY)
|
||||
|
||||
if not volume.host:
|
||||
msg = _("The snapshot cannot be created because volume has "
|
||||
@ -1031,9 +1033,10 @@ class API(base.Base):
|
||||
resource=result)
|
||||
return result
|
||||
|
||||
@wrap_check_policy
|
||||
def delete_snapshot(self, context, snapshot, force=False,
|
||||
unmanage_only=False):
|
||||
context.authorize(snapshot_policy.DELETE_POLICY,
|
||||
target_obj=snapshot)
|
||||
if not unmanage_only:
|
||||
snapshot.assert_not_frozen()
|
||||
|
||||
@ -1061,8 +1064,9 @@ class API(base.Base):
|
||||
LOG.info("Snapshot delete request issued successfully.",
|
||||
resource=snapshot)
|
||||
|
||||
@wrap_check_policy
|
||||
def update_snapshot(self, context, snapshot, fields):
|
||||
context.authorize(snapshot_policy.UPDATE_POLICY,
|
||||
target_obj=snapshot)
|
||||
snapshot.update(fields)
|
||||
snapshot.save()
|
||||
|
||||
@ -1153,21 +1157,22 @@ class API(base.Base):
|
||||
resource=volume)
|
||||
return db_meta
|
||||
|
||||
@wrap_check_policy
|
||||
def get_snapshot_metadata(self, context, snapshot):
|
||||
"""Get all metadata associated with a snapshot."""
|
||||
context.authorize(s_meta_policy.GET_POLICY,
|
||||
target_obj=snapshot)
|
||||
LOG.info("Get snapshot metadata completed successfully.",
|
||||
resource=snapshot)
|
||||
return snapshot.metadata
|
||||
|
||||
@wrap_check_policy
|
||||
def delete_snapshot_metadata(self, context, snapshot, key):
|
||||
"""Delete the given metadata item from a snapshot."""
|
||||
context.authorize(s_meta_policy.DELETE_POLICY,
|
||||
target_obj=snapshot)
|
||||
snapshot.delete_metadata_key(context, key)
|
||||
LOG.info("Delete snapshot metadata completed successfully.",
|
||||
resource=snapshot)
|
||||
|
||||
@wrap_check_policy
|
||||
def update_snapshot_metadata(self, context,
|
||||
snapshot, metadata,
|
||||
delete=False):
|
||||
@ -1177,6 +1182,8 @@ class API(base.Base):
|
||||
`metadata` argument will be deleted.
|
||||
|
||||
"""
|
||||
context.authorize(s_meta_policy.UPDATE_POLICY,
|
||||
target_obj=snapshot)
|
||||
if delete:
|
||||
_metadata = metadata
|
||||
else:
|
||||
|
@ -11,14 +11,6 @@
|
||||
"volume:update_volume_metadata": "rule:admin_or_owner",
|
||||
"volume:get_volume_admin_metadata": "rule:admin_api",
|
||||
"volume:update_volume_admin_metadata": "rule:admin_api",
|
||||
"volume:get_snapshot": "rule:admin_or_owner",
|
||||
"volume:get_all_snapshots": "rule:admin_or_owner",
|
||||
"volume:create_snapshot": "rule:admin_or_owner",
|
||||
"volume:delete_snapshot": "rule:admin_or_owner",
|
||||
"volume:update_snapshot": "rule:admin_or_owner",
|
||||
"volume:get_snapshot_metadata": "rule:admin_or_owner",
|
||||
"volume:delete_snapshot_metadata": "rule:admin_or_owner",
|
||||
"volume:update_snapshot_metadata": "rule:admin_or_owner",
|
||||
"volume:extend": "rule:admin_or_owner",
|
||||
"volume:extend_attached_volume": "rule:admin_or_owner",
|
||||
"volume:update_readonly_flag": "rule:admin_or_owner",
|
||||
@ -39,7 +31,6 @@
|
||||
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
|
||||
"volume_extension:volume_type_encryption": "rule:admin_api",
|
||||
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
|
||||
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
|
||||
"volume_extension:volume_image_metadata": "rule:admin_or_owner",
|
||||
|
||||
"volume_extension:qos_specs_manage:create": "rule:admin_api",
|
||||
@ -55,11 +46,9 @@
|
||||
"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
|
||||
|
||||
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
|
||||
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
|
||||
"volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
|
||||
"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
|
||||
"volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
|
||||
"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
|
||||
@ -100,11 +89,6 @@
|
||||
"backup:update": "rule:admin_or_owner",
|
||||
"backup:backup_project_attribute": "rule:admin_api",
|
||||
|
||||
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
|
||||
"snapshot_extension:snapshot_manage": "rule:admin_api",
|
||||
"snapshot_extension:snapshot_unmanage": "rule:admin_api",
|
||||
"snapshot_extension:list_manageable": "rule:admin_api",
|
||||
|
||||
"consistencygroup:create" : "group:nobody",
|
||||
"consistencygroup:delete": "group:nobody",
|
||||
"consistencygroup:update": "group:nobody",
|
||||
|
Loading…
Reference in New Issue
Block a user