2289cdd9e7
Public shares are visible across all keystone projects and are "accessible" by all projects within a multi-tenant cloud. More often than not, only privileged users can create and manage shares that EVERYONE on the cloud can really mount and use. Manila deployers want a way to disable unprivileged users from create public shares. Feedback from deployers has been that public shares created on one private tenant network (DHSS=True scenario) cannot be used within another private tenant network belonging to a different project. So, if users unintentionally create public shares, they end up pollute the dashboards of users in other projects. So, we need to make public share creation a "privileged" feature. This can be achieved by introducing a manila API policy that defaults to only allowing the "admin" role. So, this commit will: - Introduce two new policies: - share:create_public_share and - share:set_public_share - Set the default check string for these policies to rule:admin_api. They will accept the default rule temporarily, and log a deprecation warning message. - Remove some redundant policy checks in code and move the policy check up in the API so we can fail unauthorized requests faster. When making an API change that potentially changes the return code from being "successful" (HTTP 2xx) to returning failure (in this case: HTTP 403, NotAuthorized), we typically maintain API backwards compatibility by failing the requests ONLY with newer API microversions. Following this pattern for API policy changes will introduce a security hole, i.e., users can always create public shares with previous versions even when an administrator explicitly sets up policy to disable the action. This is why this change will not maintain API backwards compatibility. APIImpact Closes-Bug: #1801763 Change-Id: Ib4fc9a82b6a3e5f8e50f0bc8a89d0445eecab028