diff --git a/contrib/ci/post_test_hook.sh b/contrib/ci/post_test_hook.sh index eb83013e79..4b2e39d803 100755 --- a/contrib/ci/post_test_hook.sh +++ b/contrib/ci/post_test_hook.sh @@ -70,7 +70,10 @@ RUN_MANILA_QUOTA_TESTS=${RUN_MANILA_QUOTA_TESTS:-True} RUN_MANILA_SHRINK_TESTS=${RUN_MANILA_SHRINK_TESTS:-True} RUN_MANILA_SNAPSHOT_TESTS=${RUN_MANILA_SNAPSHOT_TESTS:-True} RUN_MANILA_REVERT_TO_SNAPSHOT_TESTS=${RUN_MANILA_REVERT_TO_SNAPSHOT_TESTS:-False} -RUN_MANILA_SG_TESTS=${RUN_MANILA_SG_TESTS:-${RUN_MANILA_CG_TESTS:-True}} + +# TODO(vponomaryov): turn 'RUN_MANILA_SG_TESTS' on back in Pike +# RUN_MANILA_SG_TESTS=${RUN_MANILA_SG_TESTS:-${RUN_MANILA_CG_TESTS:-True}} +RUN_MANILA_SG_TESTS=False RUN_MANILA_MANAGE_TESTS=${RUN_MANILA_MANAGE_TESTS:-True} RUN_MANILA_MANAGE_SNAPSHOT_TESTS=${RUN_MANILA_MANAGE_SNAPSHOT_TESTS:-False} RUN_MANILA_REPLICATION_TESTS=${RUN_MANILA_REPLICATION_TESTS:-False} @@ -211,7 +214,9 @@ elif [[ "$DRIVER" == "zfsonlinux" ]]; then iniset $TEMPEST_CONFIG share capability_snapshot_support True elif [[ "$DRIVER" == "dummy" ]]; then MANILA_TEMPEST_CONCURRENCY=24 - RUN_MANILA_SG_TESTS=True + + # TODO(vponomaryov): turn 'RUN_MANILA_SG_TESTS' on back in Pike + RUN_MANILA_SG_TESTS=False RUN_MANILA_MANAGE_TESTS=False RUN_MANILA_DRIVER_ASSISTED_MIGRATION_TESTS=True RUN_MANILA_REVERT_TO_SNAPSHOT_TESTS=True diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 106a035daa..995e042eec 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -181,7 +181,8 @@ function configure_manila { iniset $MANILA_CONF DEFAULT osapi_share_extension manila.api.contrib.standard_extensions iniset $MANILA_CONF DEFAULT state_path $MANILA_STATE_PATH iniset $MANILA_CONF DEFAULT default_share_type $MANILA_DEFAULT_SHARE_TYPE - iniset $MANILA_CONF DEFAULT default_share_group_type $MANILA_DEFAULT_SHARE_GROUP_TYPE + # TODO(vponomaryov): revert following back in Pike + # iniset $MANILA_CONF DEFAULT default_share_group_type $MANILA_DEFAULT_SHARE_GROUP_TYPE if ! [[ -z $MANILA_SHARE_MIGRATION_PERIOD_TASK_INTERVAL ]]; then iniset $MANILA_CONF DEFAULT migration_driver_continue_update_interval $MANILA_SHARE_MIGRATION_PERIOD_TASK_INTERVAL @@ -935,8 +936,9 @@ elif [[ "$1" == "stack" && "$2" == "extra" ]]; then echo_summary "Creating Manila default share type" create_default_share_type - echo_summary "Creating Manila default share group type" - create_default_share_group_type + # TODO(vponomaryov): revert following back in Pike + # echo_summary "Creating Manila default share group type" + # create_default_share_group_type echo_summary "Creating Manila custom share types" create_custom_share_types diff --git a/etc/manila/policy.json b/etc/manila/policy.json index 7c95202ed6..bc5e1bb921 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -115,21 +115,21 @@ "scheduler_stats:pools:index": "rule:admin_api", "scheduler_stats:pools:detail": "rule:admin_api", - "share_group:create" : "rule:default", - "share_group:delete": "rule:default", - "share_group:update": "rule:default", - "share_group:get": "rule:default", - "share_group:get_all": "rule:default", - "share_group:force_delete": "rule:admin_api", - "share_group:reset_status": "rule:admin_api", + "share_group:create" : "!", + "share_group:delete": "!", + "share_group:update": "!", + "share_group:get": "!", + "share_group:get_all": "!", + "share_group:force_delete": "!", + "share_group:reset_status": "!", - "share_group_snapshot:create" : "rule:default", - "share_group_snapshot:delete": "rule:default", - "share_group_snapshot:update" : "rule:default", - "share_group_snapshot:get": "rule:default", - "share_group_snapshot:get_all": "rule:default", - "share_group_snapshot:force_delete": "rule:admin_api", - "share_group_snapshot:reset_status": "rule:admin_api", + "share_group_snapshot:create" : "!", + "share_group_snapshot:delete": "!", + "share_group_snapshot:update" : "!", + "share_group_snapshot:get": "!", + "share_group_snapshot:get_all": "!", + "share_group_snapshot:force_delete": "!", + "share_group_snapshot:reset_status": "!", "share_replica:get_all": "rule:default", "share_replica:show": "rule:default", @@ -141,18 +141,18 @@ "share_replica:force_delete": "rule:admin_api", "share_replica:reset_replica_state": "rule:admin_api", - "share_group_type:index": "rule:default", - "share_group_type:show": "rule:default", - "share_group_type:default": "rule:default", - "share_group_type:create": "rule:admin_api", - "share_group_type:delete": "rule:admin_api", - "share_group_type:add_project_access": "rule:admin_api", - "share_group_type:list_project_access": "rule:admin_api", - "share_group_type:remove_project_access": "rule:admin_api", + "share_group_type:index": "!", + "share_group_type:show": "!", + "share_group_type:default": "!", + "share_group_type:create": "!", + "share_group_type:delete": "!", + "share_group_type:add_project_access": "!", + "share_group_type:list_project_access": "!", + "share_group_type:remove_project_access": "!", - "share_group_types_spec:create": "rule:admin_api", - "share_group_types_spec:update": "rule:admin_api", - "share_group_types_spec:show": "rule:admin_api", - "share_group_types_spec:index": "rule:admin_api", - "share_group_types_spec:delete": "rule:admin_api" + "share_group_types_spec:create": "!", + "share_group_types_spec:update": "!", + "share_group_types_spec:show": "!", + "share_group_types_spec:index": "!", + "share_group_types_spec:delete": "!" } diff --git a/releasenotes/notes/disable-share-groups-api-by-default-0627b97ac2cda4cb.yaml b/releasenotes/notes/disable-share-groups-api-by-default-0627b97ac2cda4cb.yaml new file mode 100644 index 0000000000..b8b8957f5b --- /dev/null +++ b/releasenotes/notes/disable-share-groups-api-by-default-0627b97ac2cda4cb.yaml @@ -0,0 +1,13 @@ +--- +issues: + - Share groups replaced the experimental consistency groups feature in Ocata. + The APIs for share groups have a default role-based-access-control policy + set to "!". This means that these APIs are not enabled by default on + upgrading to the Ocata release. Modify policy.json appropriately in your + deployment to enable these APIs. You may set these policies to + "rule:default" to allow access to all tenants and "rule:admin_api" to + restrict the access only to tenants with those privileges. +upgrade: + - Policies relating to "consistency_group" and "cgsnapshot" APIs + have been removed from manila. + These policies can be removed from "policy.json".