Merge "Shared File Systems service security guide fixes"

security-guide/source/shared-file-systems.rst

@@ -3,21 +3,20 @@ Shared File Systems
 ===================
 
 The Shared File Systems service (manila) provides a set of services for
-management of shared file systems in a multi-tenant cloud environment, similar
+management of shared file systems in a multi-tenant cloud environment. It is
-to how OpenStack provides for block-based storage management through the
+done similar to how OpenStack provides block-based storage management through
-OpenStack Block Storage service project. With the Shared File Systems service,
+the OpenStack Block Storage service project. With the Shared File Systems
-you can create a remote file system, mount the file system on your instances,
+service, you can create a shared file system and manage its properties such as
-and then read and write data from your instances to and from your file system.
+visibility, accessibility and usage quotas.
 
-A large amount of existing software is designed around file-based storage. The
+The Shared File Systems service works with various storage providers that use
-Shared File Systems service provides the management of file shares and works
+the following shared file system protocols:
-with various storage providers that use following shared file system protocols:
 :term:`NFS <Network File System (NFS)>`,
 :term:`CIFS <Common Internet File System (CIFS)>`, :term:`GlusterFS`, and
 :term:`HDFS <Hadoop Distributed File System (HDFS)>`.
 
-The Shared File Systems serves the same purpose as the Amazon Elastic File
+The Shared File Systems service serves the same purpose as Amazon Elastic File
-System (EFS) offering does.
+System (EFS).
 
 .. toctree::
    :maxdepth: 2

security-guide/source/shared-file-systems/intro.rst

@@ -3,37 +3,20 @@
 Introduction
 ------------
 The Shared File Systems service (manila) is intended to be ran on a single-node
-or across multiple nodes. The Shared File Systems service consists of three
+or across multiple nodes. The Shared File Systems service consists of four
 main services, which are similar to those of the Block Storage service:
 
 - ``manila-api``
 - ``manila-scheduler``
 - ``manila-share``
-
+- ``manila-data``
-The Shared File Systems service uses a SQL-based central database that is
-shared by all Shared File Systems services in the system. The amount and depth
-of the data fits into a SQL database quite well. The Shared File Systems
-service can use all SQL dialects supported by ORM SQLALchemy, but is tested
-only with MySQL and PostgreSQL data bases.
-
-Using SQL, the Shared File Systems service is similar to other OpenStack
-services and can be used with any OpenStack deployment. For more details on
-the API, see the `OpenStack Shared File Systems API <http://developer.
-openstack.org/api-ref-share-v2.html>`_ description. For mode details of the CLI
-using and configuring, see `Shared File Systems Administrator Guide
-<http://docs.openstack.org/admin-guide/shared_file_systems.html>`_.
-
-Below is an explanation of the different components.
-
-.. image:: ../figures/manila-intro.png
 
 ``manila-api``
    The service that provides a stable RESTful API. The service
    authenticates and routes requests throughout the Shared Filesystem
    service. There is python-manilaclient to interact with the API.
    For more details on the Shared File Systems API, see the `OpenStack
-   Shared File Systems API <http://developer.openstack.org/api-ref-share-
+   Shared File Systems API <http://developer.openstack.org/api-ref-share-v2.html>`_.
-   v2.html>`_.
 ``manila-share``
    Responsible for managing Shared File Service devices, specifically the
    back-end devices.
@@ -41,11 +24,36 @@ Below is an explanation of the different components.
    Responsible for scheduling and routing requests to the appropriate
    ``manila-share`` service. It does that by picking one back-end while
    filtering all except one back-end.
-python-manilaclient
+``manila-data``
+   This service is responsible for managing data operations which may take a
+   long time to complete and block other services if not handled separately.
+
+The Shared File Systems service uses an SQL-based central database that is
+shared by all Shared File Systems services in the system. It can use any SQL
+dialect supported by ORM SQLALchemy, but is tested only with MySQL and
+PostgreSQL data bases.
+
+Using SQL, the Shared File Systems service is similar to other OpenStack
+services and can be used with any OpenStack deployment. For more details on
+the API, see the `OpenStack Shared File Systems API
+<http://developer.openstack.org/api-ref-share-v2.html>`_ description. For more
+details on the CLI usage and configuration, see `Shared File Systems Cloud
+Administrative Guide
+<http://docs.openstack.org/admin-guide/shared_file_systems.html>`_.
+
+On the image below you can see how different parts of the Shared File System
+service interact with each other.
+
+.. image:: ../figures/manila-intro.png
+
+Besides already described services you can see two other entities on the
+image: ``python-manilaclient`` and ``storage controller``.
+
+``python-manilaclient``
    Command line interface to interact with the Shared File Systems service
    via ``manila-api`` and also a Python module to interact programmatically
    with the Shared File Systems service.
-Storage controller
+``Storage controller``
    Typically a metal box with spinning disks, ethernet ports, and some
    kind of software that allows network clients to read and write files on
    the disks. There are also software-only storage controllers that run on
@@ -56,72 +64,70 @@ Storage controller
 A share is a remote, mountable file system. You can mount a share to and access
 a share from several hosts by several users at a time.
 
-The Shared File Systems service can work with different network types, which
+The Shared File Systems service can work with different network types:
-can be flat, VLAN, VXLAN, or GRE, and supports segmented networking. There are
+flat, VLAN, VXLAN, or GRE, and supports segmented networking. There are
 also different :ref:`network plug-ins <shared_fs_network_plugins>` that provide
 a variety of integration approaches with the network services that are
 available with OpenStack.
 
-There are a large number of share drivers created by different vendors. Each
+There are a large number of share drivers created by different vendors which
-share driver is a Python class that can be set for the back end and run in the
+support different hardware storage solutions, for example, NetApp Clustered
-back end to manage the share operations, some of which are vendor-specific.
+Data ONTAP (cDOT) Driver, Huawei NAS Driver or GlusterFS Driver. Each share
-The back end is an instance of the manila-share service. For example, the
+driver is a Python class that can be set for a back end and run in the back
-service can be configured to use NetApp Clustered Data ONTAP (cDOT), Huawei NAS
+end to manage share operations, some of which can be vendor-specific. The back
-Driver, GlusterFS Native driver, and so on.
+end is an instance of the manila-share service.
 
-The configuration information for clients for authentication and authorization
+Clients' configuration data for authentication and authorization
 can be stored by :ref:`security services <shared_fs_security_services>`.
-This means that such protocols as LDAP and Kerberos, or with Microsoft Active
+Such protocols as LDAP, Kerberos, or Microsoft Active Directory authentication
-directory authentication service can be configured and used.
+service can be configured and used.
 
-Unless it is not modified in the ``policy.json``, either an administrator or
+Unless it is not explicitly changed in the ``policy.json``, either an
-the tenant that owns a share always is able to manage the :ref:`access to the
+administrator or the tenant that owns a share are able to manage
-shares <shared_fs_share_acl>` by means of creating access rules with
+:ref:`access to the shares <shared_fs_share_acl>`. Access management is done by
-authentication though IP address, user, group, or TLS certificates. The
+creating access rules with authentication through IP address, user, group, or
-authentication methods depend on which share driver and security service you
+TLS certificates. Available authentication methods depend on which share
-configure and use.
+driver and security service you configure and use.
 
 .. note::
 
-    Different access features are supported by different share drivers with
+    Different drivers support different access options depending on which
-    taking into consideration the shared file system protocol. The supported
+    shared file system protocol is used. Supported shared file system protocols
-    shared file system protocols are NFS, CIFS, GlusterFS, or HDFS. As the
+    are NFS, CIFS, GlusterFS, and HDFS. For example, the Generic (Block Storage
-    example, the Generic (Block Storage as a back end) driver does not support
+    as a back end) driver does not support user and certificate authentication
-    user and certificate authentication methods. It also does not support any
+    methods. It also does not support any of the security services, such as
-    of the security services, such as LDAP, Kerberos, or Active Directory. For
+    LDAP, Kerberos, or Active Directory. For details of features supported by
-    details of supporting of features by different drivers, see `Manila share
+    different drivers, see `Manila share features support mapping
-    features support mapping <http://docs.openstack.org/developer/manila/
+    <http://docs.openstack.org/developer/manila/devref/share_back_ends_feature_support_mapping.html>`_.
-    devref/share_back_ends_feature_support_mapping.html>`_.
 
-As administrator, you can create the share types that enable the scheduler to
+As an administrator, you can create share types that enable the scheduler to
-filter the back ends before you create a share. The share types have the extra
+filter back ends before you create a share. Share types have extra
-specifications you can set in the type for scheduler to filter and weigh back
+specifications that you can set for the scheduler to filter and weigh back
-ends so that an appropriate one is selected for the user that requests the
+ends so that an appropriate one is selected for a user that requests
-share creation. An administrator can add
+share creation. Shares and share types can be created as public or private.
+This level of visibility defines whether other tenants are able to see these
+objects and operate with them, or not. An administrator can add
 :ref:`access to the private share types <shared_fs_share_types_acl>` for
-definite users or tenants in the Identity service. Thus the users which you
+specific users or tenants in the Identity service. Thus users which you have
 granted access can see available share types and create shares using them.
 
-The shares and share types can be created as public or private. This level of
+Permissions for API calls for different users and their roles are determined
-visibility defines whether other tenants are able to see these objects and
+by :ref:`policies <shared_fs_policies>` like in other OpenStack services.
-operate with them, or not.
 
-The permissions of API calls for different users and their roles are determined
+The Identity service can be used for authentication in the Shared File
-by :ref:`policies <shared_fs_policies>` as well as other OpenStack services.
+Systems service. See details of the Identity service security in
-
+:doc:`../identity` section.
-The Identity service with different back ends, for example, LDAP, Active
-Directory, can be used for the authentication in the Shared File Systems. See
-details of the identity service security in :doc:`../identity` section.
 
 General security information
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Similar to other OpenStack projects, the Shared File Systems service is
-registered with the Identity service, so you can find the API endpoints of the
+registered with the Identity service, so you can find API endpoints of the
 share service v1 and v2 using **manila endpoints** command:
 
 .. code:: console
 
+ $ manila endpoints
  +-------------+-----------------------------------------+
  | manila      | Value                                   |
  +-------------+-----------------------------------------+
@@ -146,12 +152,13 @@ By default, the Shared File Systems API service listens only on the port
 ``8786`` with ``tcp6`` type that supports both IPv4 and IPv6.
 
 .. note::
+
     The port ``8786`` is the default port for the Shared File Systems service.
     It may be changed to any other port, but this change should also be made
-    in the configuration file using option ``osapi_share_listen_port`` which
+    in the configuration file to option ``osapi_share_listen_port`` which
     defaults to ``8786``.
 
-In ``/etc/manila/`` directory you can find the environment configuration files:
+In the ``/etc/manila/`` directory you can find several configuration files:
 
 .. code:: console
 
@@ -165,18 +172,15 @@ In ``/etc/manila/`` directory you can find the environment configuration files:
  share.filters
 
 It is recommended that you configure the Shared File Systems service to run
-under a non-root service account, for example, ``manila`` and change file
+under a non-root service account, and change file permissions so that only
-permissions for only ``root`` to be able to modify the configuration files. The
+the system administrator can modify them. The Shared File Systems service
-Shared File Systems service expects that only the administrator can write to
+expects that only administrators can write to configuration files and services
-the configuration files and the services can only read them through their group
+can only read them through their group membership in ``manila`` group. Others
-membership in the ``manila`` group. Others must not be able to read these files
+must not be able to read these files because the files contain admin passwords
-because the files contain admin passwords of different services.
+for different services.
 
-Thus, for the configuration files it is recommended to set ownership to
+Apply checks :ref:`check_shared_fs_01` and :ref:`check_shared_fs_02`
-``root/manila`` and access permissions to ``640`` allowing only root to write
+from the checklist to verify that permissions are set properly.
-to the configuration files, and other users in the ``manila`` group to read
-them. For details, see :ref:`check_shared_fs_01` and :ref:`check_shared_fs_02`
-in a checklist.
 
 .. note::
 
@@ -187,5 +191,5 @@ in a checklist.
 
 .. tip::
 
-    Manila configuration file ``manila.conf`` may be used from different places.
+    The manila configuration file ``manila.conf`` may be placed anywhere.
-    The path ``/etc/manila/manila.conf`` is one of expected paths by default.
+    The path ``/etc/manila/manila.conf`` is expected by default.

security-guide/source/shared-file-systems/network-and-security-models.rst

@@ -3,37 +3,37 @@
 ===========================
 Network and security models
 ===========================
-The share driver in the Shared File Systems service is a Python class that can
+A share driver in the Shared File Systems service is a Python class that can
-be set for the back end and run in it to manage the share operations, some of
+be set for the back end and run in it to manage share operations, some of
-which are vendor-specific. The back end is an instance of the manila-share
+which are vendor-specific. The back end is an instance of manila-share
-service. There are big number of the share drivers created by different vendors
+service. There are a big number of share drivers created by different vendors
 in the Shared File Systems service. Each share driver supports one or more back
-end modes: *share servers* and *no share servers*, but the administrator
+end modes: *share servers* and *no share servers*. An administrator
-chooses which mode is used by specifying it in the configuration file
+chooses which mode is used by specifying it in ``manila.conf`` configuration
-``manila.conf``.
+file. An option ``driver_handles_share_servers`` is used for it.
 
 The *share servers* mode can be configured with flat network, or with segmented
 network. This depends on the network provider.
 
-It is possible to have separate drivers for different modes on the same
+It is possible to have separate drivers for different modes use the same
 hardware, if you want to have different configurations. Depending on which mode
-is chosen, the administrator needs to provide additional details in the
+is chosen, an administrator may need to provide more configuration details
-configuration file as well.
+through the configuration file.
 
 .. _share-servers-vs-no-share-servers:
 
 Share back ends modes
 ---------------------
 
-Each share driver supports one or two of possible driver modes to configure the
+Each share driver supports at least one of the possible driver modes:
-back ends. Initially there are two driver modes for the back ends:
 
 * **share servers mode**
 * **no share servers mode**
 
-The configuration option in the ``manila.conf`` file that set the share
+The configuration option in ``manila.conf`` that sets *share servers* mode or
-servers mode or no share servers mode is the ``driver_handles_share_servers``
+*no share servers* mode is the ``driver_handles_share_servers``
-option, that defines the driver mode for share storage life cycle management:
+option. It indicates whether a driver handles share servers by itself
+or it expects the Shared File Systems service to do it.
 
 .. list-table::
    :header-rows: 1
@@ -54,24 +54,15 @@ option, that defines the driver mode for share storage life cycle management:
        storage with some net interface insteadof the presence of the share
        servers.
 
-This is the share types which have the extra specifications that help scheduler
-to filter back ends and choose the appropriate back end for the user that
-requested to create a share. For details of managing the share types and
-configuration the back ends, see `Share types
-<http://docs.openstack.org/admin-guide/shared_file_systems_share_types.html>`_
-and `Multi-storage configuration
-<http://docs.openstack.org/admin-guide/shared_file_systems_multi_backend.html>`_
-documentation.
-
 No share servers mode
    In this mode, drivers have basically no network requirements whatsoever.
-   It's assumed that the actual storage controller(s) being managed by the
+   It's assumed that storage controller being managed by the
    driver has all of the network interfaces it's going to need. The Shared
    File Systems service will expect the driver to provision shares directly
    without creating any share server beforehand. This mode corresponds to
-   what some existing drivers are already doing, but it makes explicit the
+   what some existing drivers are already doing, but it makes the
-   choice for the administrator. In this mode, the share networks are not
+   choice explicit for the administrator. In this mode, the share networks
-   needed at share creation time and must not be provided.
+   are not needed at share creation time and must not be provided.
 
 .. note::
 
@@ -79,34 +70,34 @@ No share servers mode
    the network interfaces through which any shares are exported are already
    reachable by all tenants.
 
-In the *no share servers* mode the share driver does not handle the storage
+In the *no share servers* mode a share driver does not handle storage
-life cycle. The administrator is expected to handle the storage, network
+life cycle. An administrator is expected to handle the storage, network
 interfaces, and other host configurations. In this mode an administrator can
-have the storage(s) as a host which exports the shares. The main characteristic
+set storage as a host which exports shares. The main characteristic
 of this mode is that the storage is not handled by the Shared File Systems
-service. The users in tenants share the common network(s), host, processor, and
+service. Users in a tenant share common network, host, processor, and
-network pipe. The users can hinder each other if there is no correct balancing
+network pipe. They can hinder each other if there is no correct balancing
-adjustment on the storage configured by admin or proxy before it. In the
+adjustment on the storage configured by admin or proxy before it. In
-public clouds it is possible that all the network pipe is used by one client,
+public clouds it is possible that all network capacity is used by one client,
-so the administrator should handle this case not to happen. The balancing
+so an administrator should care for this not to happen. Balancing
-adjustment can be configured by any means, not only OpenStack tools.
+adjustment can be done by any means, not necessarily with OpenStack tools.
 
 Share servers mode
-   In this mode, the driver is able to create share servers and join them to
+   In this mode, a driver is able to create share servers and plug them to
-   an existing network. When providing a new share server, the drivers expect
+   existing networks. When providing a new share server, drivers expect
    an IP address and subnet from the Shared File Systems service.
 
-Unlike the no share servers mode, in the *share servers* mode the users have
+Unlike *no share servers* mode, in *share servers* mode users have
-the share network and the share server that is created for each share network.
+a share network and a share server that is created for each share network.
 Thus all users have separate CPU, amount of CPU time, network, capacity and
 throughput.
 
-You also can configure the
+You also can configure
 :ref:`security services <shared_fs_security_services>` in both *share servers*
 and *no share servers* back-end modes. But with *no share servers* back-end
-mode, an administrator should set the desired authentication services manually
+mode, an administrator should set desired authentication services manually
-on the host. And in the *share servers* mode of the back end The Shared File
+on the host. And in *share servers* mode the Shared File
-Systems service can be configured automatically with any of existing security
+Systems service can be configured automatically with any existing security
 services supported by the share driver.
 
 Flat vs segmented networking
@@ -121,75 +112,68 @@ network:
 
 .. note::
 
-    The Shared File Systems service is just keeping the information about the
+    The Shared File Systems service is merely keeping the information about
-    networks in the database, and the real networks are available due to the
+    networks in the database, and real networks are provided by the
     network provider. In OpenStack it can be Legacy networking (nova-network)
-    or Networking (neutron) services, but actually the Shared File Systems
+    or Networking (neutron) services, but the Shared File Systems
-    service can work even out of OpenStack. That is due to the
+    service can work even out of OpenStack. That is allowed by
     ``StandaloneNetworkPlugin`` that can be used with any network platform and
     does not require some specific network services in OpenStack like
     Networking or Legacy networking services. You can set the network
     parameters in its configuration file.
 
-In the :ref:`share servers <share-servers-vs-no-share-servers>` back-end mode
+In :ref:`share servers <share-servers-vs-no-share-servers>` back-end mode
-the share driver creates and manages the share server for each share network.
+a share driver creates and manages a share server for each share network.
-This mode can be divided on two variations:
+This mode can be divided in two variations:
 
 * Flat network in *share servers* back-end mode
 * Segmented network in *share servers* back-end mode
 
-Initially, while creating the share network, you can set up either a network
+Initially, when creating a share network, you can set up either a network
 and subnet of the OpenStack Networking (neutron) or a network of Legacy
 networking (nova-network) services. The third approach is to configure the
-networking without Legacy networking and Networking services. The
+networking without Legacy networking and Networking services.
 ``StandaloneNetworkPlugin`` can be used with any network platform. You can set
-the network parameters in its configuration file.
+network parameters in its configuration file.
 
 .. tip::
 
-   All the share drivers that use the OpenStack Compute service do not use the
+   All share drivers that use the OpenStack Compute service do not use
-   network plug-ins. In Liberty release it is Windows and Generic drivers, so
+   network plug-ins. In Mitaka release it is Windows and Generic drivers.
-   these share drives have other options and use different approach.
+   These share drives have other options and use different approach.
 
-After the share network is created, the Shared File Systems service retrieves
+After a share network is created, the Shared File Systems service retrieves
-the network information determined by the network provider, for example, the
+network information determined by a network provider: network type,
-network type, the segmentation identifier if the network uses segmentation, the
+segmentation identifier if the network uses segmentation and
-IP block in Classless Inter-Domain Routing (CIDR) notation from which to
+IP block in CIDR notation from which to allocate the network.
-allocate the network.
-
-Below you can see the comparison of the flat network with segmented
-network in *share servers* back-end mode.
 
 **Flat network in share servers back-end mode**
 
 In this mode, some storage controllers can create share servers but due to
-various limitations of the physical or logical network all of the share servers
+various limitations of physical or logical network all of share servers
-have to be on a flat network. In this mode, the share driver needs something to
+have to be on a flat network. In this mode, a share driver needs something to
-provision IP addresses for the share servers, but the IPs all come out of the
+provision IP addresses for share servers, but IPs will all come out of the
 same subnet and that subnet itself is assumed to be reachable by all tenants.
 
-In this mode, the :ref:`security service part <shared_fs_security_services>` of
+The :ref:`security service part <shared_fs_security_services>` of
-the share networks is important because it allows tenants to specify security
+share networks ispecify security
 requirements such as AD or LDAP domains or a Kerberos realm. The Shared File
-Systems service assumes that any hosts referred to in the security service are
+Systems service assumes that any hosts referred to in security service are
-reachable from the subnet where the share server is created, which limits the
+reachable from a subnet where a share server is created, which limits the
-situations where this mode makes sense.
+number of cases where this mode could be used.
 
 **Segmented network in share servers back-end mode**
 
-In this mode, the share driver is able to create share servers and join them to
+In this mode, a share driver is able to create share servers and plug them to
-an existing segmented network. The share drivers expect the Shared File systems
+an existing segmented network. Share drivers expect the Shared File Systems
-to provide for every new share server a subnet definition including a
+service to provide a subnet definition for every new share server. This
-segmentation type which is VLAN, VXLAN, or GRE, segmentation ID, and any other
+definition should include segmentation type, segmentation ID, and any other
 info relevant to the segmentation type.
 
-The security aspects of the configured networks depends on the configuration
-itself and the network provider.
-
 .. note::
 
-    The share drivers may not support every type of segmentation, for details
+    Some share drivers may not support all types of segmentation, for details
-    see the specification for each driver.
+    see specification for the driver in use.
 
 .. _shared_fs_network_plugins:
 
@@ -197,20 +181,18 @@ Network plug-ins
 ----------------
 
 The Shared File Systems service architecture defines an abstraction layer for
-network resource provisioning and allowing administrators to choose from a
+network resource provisioning. It allows administrators to choose from
 different options for how network resources are assigned to their tenants’
-networked storage. There are a set of network plug-ins that provide a variety
+networked storage. There are several network plug-ins that provide a variety
 of integration approaches with the network services that are available with
 OpenStack.
 
-The network plug-ins allow to use any functions, configurations of the
+Network plug-ins allow to use any functions, configurations of the
-OpenStack Networking and Legacy networking services, for example, you can use
+OpenStack Networking and Legacy networking services. One can use
 any network segmentation that the Networking service supports, you can use
 flat networks or VLAN-segmented networks of the Legacy networking
-(nova-network) service, or you can use the plug-in for specifying networks
+(nova-network) service, or you can use plug-ins for specifying networks
 independently from OpenStack networking services. For more information of how
 to use different network plug-ins, see `Shared File Systems service Network
 plug-ins
 <http://docs.openstack.org/admin-guide/shared_file_systems_network_plugins.html#network-plug-ins>`_.
-The security in using different
-network plug-ins depends on the specific network configuration.

security-guide/source/shared-file-systems/policies.rst

@@ -9,14 +9,14 @@ the service's ``policy.json`` file.
 
 .. tip::
 
-    The configuration file ``policy.json`` may be used from different places.
+    The configuration file ``policy.json`` may be placed anywhere.
-    The path ``/etc/manila/policy.json`` is one of expected paths by default.
+    The path ``/etc/manila/policy.json`` is expected by default.
 
 Whenever an API call to the Shared File Systems service is made, the policy
 engine uses the appropriate policy definitions to determine if the call can be
 accepted.
 
-The policy rule determines under which circumstances the API call is permitted.
+A policy rule determines under which circumstances the API call is permitted.
 The ``/etc/manila/policy.json`` file has rules where action is always
 permitted, when the rule is an empty string: ``""``; the rules based on the
 user role or rules; rules with boolean expressions. Below is a snippet of the
@@ -29,53 +29,21 @@ OpenStack release to another it can be changed.
        "context_is_admin": "role:admin",
        "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
        "default": "rule:admin_or_owner",
-
-       "admin_api": "is_admin:True",
-
-       "share:create": "",
-       "share:delete": "rule:default",
-       "share:get": "rule:default",
-       "share:get_all": "rule:default",
-       "share:list_by_share_server_id": "rule:admin_api",
-       "share:update": "rule:default",
-       "share:snapshot_update": "rule:default",
-       "share:create_snapshot": "rule:default",
-       "share:delete_snapshot": "rule:default",
-       "share:get_snapshot": "rule:default",
-       "share:get_all_snapshots": "rule:default",
-       "share:access_get": "rule:default",
-       "share:access_get_all": "rule:default",
-       "share:allow_access": "rule:default",
-       "share:deny_access": "rule:default",
-       "share:extend": "rule:default",
-       "share:shrink": "rule:default",
-       "share:get_share_metadata": "rule:default",
-       "share:delete_share_metadata": "rule:default",
-       "share:update_share_metadata": "rule:default",
-       "share:migrate": "rule:admin_api",
-
-       "share_type:index": "rule:default",
-       "share_type:show": "rule:default",
-       "share_type:default": "rule:default",
-
-       "share_instance:index": "rule:admin_api",
-       "share_instance:show": "rule:admin_api",
-
        "share_extension:quotas:show": "",
        "share_extension:quotas:update": "rule:admin_api",
        "share_extension:quotas:delete": "rule:admin_api",
        "share_extension:quota_classes": "",
-
-       ...
    }
 
-Note that your users must be assigned to groups and roles that you refer to in
+Users must be assigned to groups and roles that you refer to in
-your policies.
+your policies. This is done automatically by the service when user
+management commands are used.
 
 .. note::
 
     Any changes to ``/etc/manila/policy.json`` are effective immediately,
     which allows new policies to be implemented while the Shared File Systems
-    service is running. Modifying the policy can have unexpected side effects
+    service is running. Manual modification of the policy can have unexpected
-    and is not encouraged. For details, see `The policy.json file <http://docs.
+    side effects and is not encouraged. For details, see
-    openstack.org/trunk/config-reference/content/policy-json-file.html>`_.
+    `The policy.json file <http://docs.openstack.org/trunk/config-reference/
+    ontent/policy-json-file.html>`_.

security-guide/source/shared-file-systems/security-services.rst

@@ -4,48 +4,46 @@
 Security services
 =================
 
-For authentication and authorization of the clients, the Shared File Systems
+For authentication and authorization of clients, the Shared File Systems
 Storage service can optionally be configured with different network
 authentication protocols. Supported authentication protocols are LDAP,
-Kerberos, or Microsoft Active directory authentication service.
+Kerberos, and Microsoft Active directory authentication service.
 
 Introduction to security services
 ---------------------------------
-After creating the share and getting its export location users have no
+After creating a share and getting its export location, users have no
 permissions to mount it and operate with files. The Shared File System service
-allows to grant or deny access to the shares.
+requires to explicitly grant access to the new share.
 
-The configuration information for clients for authentication and authorization
+The client configuration data for authentication and authorization
-(AuthN/AuthZ) can be stored by ``security services``. This means that such
+(AuthN/AuthZ) can be stored by ``security services``. LDAP, Kerberos, or
-protocols as LDAP and Kerberos, or with Microsoft Active directory
+Microsoft Active directory can be used by the Shared File Systems service if
-authentication service can be used by the Shared File Systems service if they
+they are supported by used drivers and back ends. Authentication
-exist and are supported by the drivers and back ends. These authentication
+services can also be configured without the Shared File Systems service.
-services also can be configured without the Shared File Systems service.
 
 .. note::
 
-    In some cases, it is required to add one of the security services. For
+    In some cases, it is required to explicitly specify one of the security
-    example, NetApp, EMC and Windows drivers require Active Directory for the
+    services, for example, NetApp, EMC and Windows drivers require Active
-    creation of shares with CIFS protocol.
+    Directory for the creation of shares with the CIFS protocol.
 
 Security services management
 ----------------------------
-A *security service* is the Shared File Systems service (manila) term that
+A *security service* is the Shared File Systems service (manila) entity that
-means a set of options that defines a security domain for a particular shared
+abstracts a set of options that defines a security domain for a particular
-file system protocol, such as an Active Directory domain or a Kerberos domain.
+shared file system protocol, such as an Active Directory domain or a Kerberos
-The security service contains all of the information necessary for the Shared
+domain. The security service contains all of the information necessary for
-File Systems to create a server that joins the given domain.
+the Shared File Systems to create a server that joins a given domain.
 
-Using the API users can create, update, view, delete a security service.
+Using the API, users can create, update, view and delete a security service.
-The security services are realized in the Shared File Systems API with such
+Security Services are designed basing on the following assumptions:
-key concepts:
 
-* Tenants provide the details for the security service.
+* Tenants provide details for the security service.
 * Administrators care about security services: they configure the server side
   of such security services.
 * Inside The Shared File Systems API, a ``security_service`` is associated with
   the ``share_networks``.
-* The share drivers use the information in the security service to configure
+* Share drivers use data in the security service to configure
   newly created share servers.
 
 While creating a security service, you can select one of these authentication
@@ -72,35 +70,34 @@ services:
      - A directory service that Microsoft developed for Windows domain
        networks. Uses LDAP, Microsoft's version of Kerberos, and DNS.
 
-The Shared File Systems allows you to configure a security service with these
+The Shared File Systems service allows you to configure a security service
-options:
+with these options:
 
 * A DNS IP address that is used inside the tenant network.
 * An IP address or host name of a security service.
 * A domain of a security service.
-* A user or group name that is used by the tenant.
+* A user or group name that is used by a tenant.
-* The password for the user, if you specify a user name.
+* A password for a user, if you specify a user name.
 
-An existing security service entity can be associated with the share network
+An existing security service entity can be associated with share network
-entities that inform the Shared File Systems service about the security and
+entities that inform the Shared File Systems service about security and
 network configuration for a group of shares. You can also see the list of all
 security services for a specified share network and disassociate them from
 a share network.
 
-For details of managing the security services via API, see the `Security
+For details of managing security services via API, see the `Security
-services API <http://developer.openstack.org/api-ref-share-v2.html#share-security-
+services API <http://developer.openstack.org/api-ref-share-v2.html#share-security-services>`_.
-services>`_. You also can manage the security services via python-manilaclient,
+You also can manage security services via python-manilaclient,
-see `Security services CLI managing <http://docs.openstack.org/admin-guide/
+see `Security services CLI managing <http://docs.openstack.org/admin-guide/shared_file_systems_security_services.html>`_.
-shared_file_systems_security_services.html>`_.
 
-An administrator and the users as share owners can manage the
+An administrator and users as share owners can manage the
-:ref:`access to the shares <shared_fs_share_acl>` by means of creating access
+:ref:`access to the shares <shared_fs_share_acl>` by creating access
-rules with authentication though ip address, user or group, or TLS
+rules with authentication though an IP address, user, group, or TLS
-certificates. The authentication methods depend on which share driver and
+certificates. Authentication methods depend on which share driver and
 security service you configure and use.
 
-Thus as an administrator you can configure the backend to use the definite
+Thus, as an administrator, you can configure a back end to use specific
-authentication service via network and it will store the users. The
+authentication service via network and it will store users. The
 authentication service can operate with clients without the Shared File System
 and the Identity service.
 
@@ -108,37 +105,36 @@ and the Identity service.
 
     Different authentication services are supported by different share drivers.
     For details of supporting of features by different drivers, see
-    `Manila share features support mapping <http://docs.openstack.org/developer
+    `Manila share features support mapping <http://docs.openstack.org/developer/manila/devref/share_back_ends_feature_support_mapping.html>`_.
-    /manila/devref/share_back_ends_feature_support_mapping.html>`_.
+    Support for a specific authentication service by a driver does not
-    The support of definite authentication service by the driver also doesn't
     mean that it can be configured with any shared file system protocol.
     Supported shared file systems protocols are NFS, CIFS, GlusterFS, and HDFS.
-    See the driver vendor's documentation for the specific driver and its
+    See the driver vendor's documentation for infomation on a specific driver
-    configuration for the security services.
+    and its configuration for security services.
 
-Some drivers support the security services and other drivers do not support any
+Some drivers support security services and other drivers do not support any
-of the hereinabove security services.
+of the security services mentioned above. For example, Generic Driver with
-
+the NFS or the CIFS shared file system protocol supports only authentication
-The Generic Driver with NFS or CIFS shared file system protocol supports only
+method through the IP address.
-authentication method through the IP address.
 
 .. tip::
 
-    * Those drivers that support CIFS shared file system protocol in most
+    * Those drivers that support the CIFS shared file system protocol in most
       cases can be configured to use Active Directory and manage access through
-      user authentication.
+      the user authentication.
-    * Drivers that support GlusterFS protocol can be used with authentication
+    * Drivers that support the GlusterFS protocol can be used with
-      via TLS certificates.
+      authentication via TLS certificates.
-    * With drivers that support NFS protocol the authentication via IP address
+    * With drivers that support NFS protocol authentication via IP address
-      is the only supported.
+      is the only supported option.
     * Since the HDFS shared file system protocol uses NFS access it also can be
       configured to authenticate via IP address.
 
-    The authentication via IP is the most weak.
+    Note, however, that authentication via IP is the least secure type of
+    authentication.
 
 The recommended configuration for the Shared File Systems service real usage
-is to create a share with CIFS share protocol and add to it the Microsoft
+is to create a share with the CIFS share protocol and add to it the Microsoft
-Active Directory directory service. In this configuration you'll get the
+Active Directory directory service. In this configuration you will get the
 centralized data base and the service that unites Kerberos and LDAP approaches.
-This is a real use case that is convenient for the real production shared file
+This is a real use case that is convenient for production shared file
 systems.

security-guide/source/shared-file-systems/share-acl.rst

@@ -7,16 +7,16 @@ The Shared File Systems service allows to grant or deny access to different
 entities of the service for other clients.
 
 Having a share as remote mountable instance of a file system, you can manage
-access to a specified share, and list the permissions for a specified share.
+access to a specified share, and list permissions for a specified share.
 
-The share can be *public* and *private*. This is a level of visibility for the
+A share can be *public* or *private*. This is a level of visibility for the
 share that defines whether other tenants can or cannot see the share. By
-default, the shares are created as private. While creating a share, use a key
+default, all shares are created as private. While creating a share, use key
 :option:`--public` to make your share public for other tenants to see it in a
 list of shares and see its detailed information.
 
 According to a :ref:`policy.json <shared_fs_policies>` file, an administrator
-and the users as share owners can manage the access to the shares by means of
+and the users as share owners can manage access to shares by means of
 creating access rules. Using :command:`manila access-allow`,
 :command:`manila access-deny` and :command:`manila access-list` commands,
 you can grant, deny and list access to a specified share correspondingly.
@@ -25,19 +25,19 @@ you can grant, deny and list access to a specified share correspondingly.
 
     By default, when a share is created and has its export location, the Shared
     File Systems service expects that nobody can access the share by mounting
-    it. Pay attention that the share driver you use can change this
+    it. Please note that the share driver you use can change this
     configuration, or it can be directly changed on the share storage. To
-    ensure the access to the share, check the mounting config for the export
+    ensure access to the share, check the mounting config for the export
     protocol.
 
-When the share is just created there are no created access rules and expected
+When a share is just created there are no default access rules associated with
-permission to mount a share. This is obtained by the mounting config for the
+it and permission to mount it. This could be seen in mounting config for
-certain export protocol. For example, for the NFS protocol there is
+export protocol in use. For example, there is an NFS command ``exportfs`` or
-``exportfs`` command or ``/etc/exports`` file on the storage which controls
+``/etc/exports`` file on the storage which controls each remote share and
-each remote share and the hosts that can access it. It is empty if nobody can
+defines hosts that can access it. It is empty if nobody can mount a share.
-mount a share. For the remote CIFS server there is ``net conf list`` command
+For a remote CIFS server there is ``net conf list`` command
-which shows the configuration. The parameter ``hosts deny`` should be set by
+which shows the configuration. ``hosts deny`` parameter should be set by
-the share driver to ``0.0.0.0/0`` which means that that hosts are denied to
+the share driver to ``0.0.0.0/0`` which means that any host is denied to
 mount the share.
 
 Using the Shared File Systems service, you can grant or deny access to a share
@@ -49,17 +49,17 @@ by specifying one of these supported share access levels:
 
 .. tip::
 
-    The RO access level can be helpful in the public shares when the
+    The RO access level can be helpful in public shares when the
     administrator gives read and write (RW) access for some certain editors or
     contributors and gives read-only (RO) access for the rest of users
     (viewers).
 
 You must also specify one of these supported authentication methods:
 
-* **ip**. Authenticates an instance through its IP address. A valid format is
+* **ip**. Authenticates an instance by its IP address. A valid format is
   XX.XX.XX.XX or XX.XX.XX.XX/XX. For example 0.0.0.0/0.
 
-* **cert**. Authenticates an instance through a TLS certificate. Specify the
+* **cert**. Authenticates an instance by a TLS certificate. Specify the
   TLS identity as the IDENTKEY. A valid value is any string up to 64 characters
   long in the common name (CN) of the certificate.
 
@@ -69,7 +69,7 @@ You must also specify one of these supported authentication methods:
 
 .. note::
 
-    The supported authentication methods depend on which share driver, security
+    Supported authentication methods depend on which share driver, security
     service and shared file system protocol you configure and use. Supported
     shared file system protocols are NFS, CIFS, GlusterFS, and HDFS. Supported
     security services are LDAP, Kerberos protocols, or Microsoft Active
@@ -78,21 +78,21 @@ You must also specify one of these supported authentication methods:
     org/developer/manila/devref/share_back_ends_feature_support_
     mapping.html>`_.
 
-To verify that the access rules (ACL) were configured correctly for a share,
+To verify that access rules (ACL) were configured correctly for a share,
-you can list permissions for a share.
+you can list its permissions.
 
 .. tip::
 
     You also can choose and add the :ref:`security service
     <shared_fs_security_services>` that is supported by the share driver to
     create access rules with authentication methods for clients that are
-    appropriate for your share. The supported security services are LDAP,
+    appropriate for your share. Supported security services are LDAP,
     Kerberos and Microsoft Active Directory.
 
-Below is an example of the NFS share with the Generic driver. After the share
+Below is an example of an NFS share with the Generic driver. After the share
 was created it has export location
 ``10.254.0.3:/shares/share-b2874f8d-d428-4a5c-b056-e6af80a995de``. If you try
-to mount it on the host with ``10.254.0.4`` IP address, you'll get the
+to mount it on the host with ``10.254.0.4`` IP address, you'll get a
 *"Permission denied"* message.
 
 .. code:: console
@@ -151,12 +151,3 @@ Now we can mount a share on the host with IP address ``10.254.0.4`` and have
  # ls -a /mnt
  .  ..  1.txt  lost+found
  #
-
-You also can list the access rules to each share and deny the access using the
-Shared File Systems service CLI.
-
-.. tip::
-
-    To ensure that the granted or denied access with Shared File Systems
-    service CLI is correct, check the mount config file on the storage before
-    releasing a share to the production.

security-guide/source/shared-file-systems/share-type-acl.rst

@@ -8,7 +8,7 @@ tenant visible description, and a list of non-tenant-visible key-value pairs -
 extra specifications. The manila-scheduler uses extra specifications to make
 scheduling decisions, and drivers control the share creation.
 
-The administrators can create and delete share types, and manage the extra
+An administrator can create and delete share types, and also manage extra
 specifications that give them meaning inside the Shared File Systems service.
 Tenants can list the share types and can use them to create new shares. For
 details of managing the share types, see `Shared File Systems API
@@ -17,26 +17,25 @@ details of managing the share types, see `Shared File Systems API
 <http://docs.openstack.org/admin-guide/shared_file_systems_share_types.html>`_
 documentation.
 
-The shares types can be created as *public* and *private*. This is the level of
+Share types can be created as *public* and *private*. This is the level of
 visibility for the share type that defines whether other tenants can or cannot
 see it in a share types list and use it to create a new share.
 
-By default, the share types are created as public. While creating a share type,
+By default, share types are created as public. While creating a share type,
 use :option:`--is_public` parameter set to ``False`` to make your share type
-private for other tenants not to see it in a list of share types and create
+private which will prevent other tenants from seeing it in a list of share
-new share with it.
+types and creating new shares with it. On the other hand,  *public* share
+types are available to every tenant in a cloud.
 
-The *public* share types are available to every tenant in a cloud.
+The Shared File Systems service allows an administrator to grant or deny
-
+access to the *private* share types for tenants. It is also possible to get
-The Shared File Systems service allows the administrators to grant or deny
-access to the *private* share types for some certain tenants. You also can get
 information about access for a specified private share type.
 
 .. tip::
 
-    Since the share types due to their extra specifications help to filter or
+    Since share types due to their extra specifications help to filter or
     choose back ends before users create a share, using access to the share
-    types you can limit clients that can choose definite back end.
+    types you can limit clients in choice of specific back ends.
 
 As an example, being an administrator user in admin tenant, you can create a
 private share type named ``my_type`` and see it in the list. In the console
@@ -58,7 +57,7 @@ provided to show the current logged in user.
  | 5..| default| public    | YES       | driver_handles_share_servers:True | snapshot_support:True |
  +----+--------+-----------+-----------+-----------------------------------+-----------------------+
 
-The demo user in demo tenant can list the types and the private share type
+``demo`` user in ``demo`` tenant can list the types and the private share type
 named ``my_type`` is not visible for him.
 
 .. code:: console
@@ -75,7 +74,7 @@ named ``my_type`` is not visible for him.
  | 5..| default| public    | YES       | driver_handles_share_servers:True| snapshot_support:True|
  +----+--------+-----------+-----------+----------------------------------+----------------------+
 
-The administrator can grant the access to the private share type for the demo
+The administrator can grant access to the private share type for the demo
 tenant with the tenant ID equal to df29a37db5ae48d19b349fe947fada46:
 
 .. code:: console
@@ -94,7 +93,7 @@ tenant with the tenant ID equal to df29a37db5ae48d19b349fe947fada46:
  +----------------------------------+--------------------+
  $ manila type-access-add my_type df29a37db5ae48d19b349fe947fada46
 
-Thus now the users in demo tenant can see the private share type and use it in
+Thus now users in demo tenant can see the private share type and use it in
 the share creation:
 
 .. code:: console
@@ -120,5 +119,5 @@ To deny access for a specified project, use
     A **real production use case** that shows the purpose of a share types and
     access to them is a situation when you have two back ends: cheap LVM as a
     public storage and expensive Ceph as a private storage. In this case you
-    can grant access to the certain tenants and make the access with
+    can grant access to certain tenants and make the access with
     ``user/group`` authentication method.