Change RBAC for share group snapshots

Allow project administrators to force delete and reset status on share group snapshots by default since that delegation may be desirable in the cloud and it does not violate tenancy. Change-Id: Ib9b9b306be9073c4cea9b2d190d3325f29c7bd3f Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-10 12:33:20 -08:00 · 2021-03-10 12:33:20 -08:00 · 9243d994b0
commit 9243d994b0
parent fbb8e6b510
1 changed files with 4 additions and 10 deletions
--- a/manila/policies/share_group_snapshot.py
+++ b/manila/policies/share_group_snapshot.py
@ -142,11 +142,8 @@ share_group_snapshot_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME % 'force_delete',
-        # NOTE(lbragstad): This might make a good candidate for as a project
-        # administrator operation if it doesn't require any information that
-        # would violate tenancy
-        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        scope_types=['system', 'project'],
        description="Force delete a share group snapshot.",
        operations=[
            {
@ -161,11 +158,8 @@ share_group_snapshot_policies = [
    ),
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME % 'reset_status',
-        # NOTE(lbragstad): This might make a good candidate for as a project
-        # administrator operation if it doesn't require any information that
-        # would violate tenancy
-        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN,
+        scope_types=['system', 'project'],
        description="Reset a share group snapshot's status.",
        operations=[
            {