Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make swap-volume an admin-only API by default
Cinder's volume migration API is, by default, an admin-only operation. This includes the migrate_volume_completion API. When Cinder is doing a volume migration, it calls Nova's swap-volume API to detach the old volume that we're migrating from and attach the volume that we're migrating to. Then Nova calls Cinder's migrate_volume_completion API to signal Nova is done and Cinder can finish the volume migration. The problem is that swap-volume is not an admin-only API in Nova per the default policy. So if a non-admin user tries to perform a swap-volume operation, it will fail with a 403 when calling Cinder's migrate_volume_completion API, since that requires an admin user. Also, because of 9873976 we can't simply avoid calling migrate_volume_completion for non-migration cases because that API handles the actual detach/attach for the old and new volumes, swap-volume is broken without calling that. So given swap-volume relies on an admin-only Cinder API, and is called from an admin-only Cinder operation (volume migration), we should just make it default to admin-only also. Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f Closes-Bug: #1522705
- Loading branch information
Matt Riedemann
committed
Apr 8, 2016
1 parent
7c648c3
commit f738483
Showing
4 changed files
with
18 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
--- | ||
upgrade: | ||
- The default policy for updating volume attachments, commonly referred to as | ||
swap volume, has been changed from ``rule:admin_or_owner`` to | ||
``rule:admin_api``. This is because it is called from the volume service | ||
when migrating volumes, which is an admin-only operation by default, and | ||
requires calling an admin-only API in the volume service upon completion. | ||
So by default it would not work for non-admins. |