diff --git a/doc/source/support-matrix.ini b/doc/source/support-matrix.ini index 2e0e60cb100..b10ad93a455 100644 --- a/doc/source/support-matrix.ini +++ b/doc/source/support-matrix.ini @@ -498,13 +498,14 @@ driver-impl-libvirt-vz-ct=complete [operation.swap-volume] title=Swap block volumes status=optional -notes=The swap volume operation is a mechanism for changing running +notes=The swap volume operation is a mechanism for changing a running instance so that its attached volume(s) are backed by different storage in the host. An alternative to this would be to simply terminate the existing instance and spawn a new instance with the new storage. In other words this operation is primarily targeted towards - the pet use case rather than cattle. Therefore this is considered - optional to support. + the pet use case rather than cattle, however, it is required for volume + migration to work in the volume service. This is considered optional to + support. cli= driver-impl-xenserver=missing driver-impl-libvirt-kvm-x86=complete diff --git a/etc/nova/policy.json b/etc/nova/policy.json index dc35f0c2044..b8766afa9a4 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -46,7 +46,7 @@ "compute:attach_volume": "rule:admin_or_owner", "compute:detach_volume": "rule:admin_or_owner", - "compute:swap_volume": "rule:admin_or_owner", + "compute:swap_volume": "rule:admin_api", "compute:attach_interface": "rule:admin_or_owner", "compute:detach_interface": "rule:admin_or_owner", @@ -190,7 +190,7 @@ "compute_extension:volume_attachments:index": "rule:admin_or_owner", "compute_extension:volume_attachments:show": "rule:admin_or_owner", "compute_extension:volume_attachments:create": "rule:admin_or_owner", - "compute_extension:volume_attachments:update": "rule:admin_or_owner", + "compute_extension:volume_attachments:update": "rule:admin_api", "compute_extension:volume_attachments:delete": "rule:admin_or_owner", "compute_extension:volumetypes": "rule:admin_or_owner", "compute_extension:availability_zone:list": "rule:admin_or_owner", @@ -473,7 +473,7 @@ "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner", "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner", "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:update": "rule:admin_or_owner", + "os_compute_api:os-volumes-attachments:update": "rule:admin_api", "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner", "os_compute_api:os-volumes-attachments:discoverable": "@", "os_compute_api:os-availability-zone:list": "rule:admin_or_owner", diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index 998106a61f0..663b0b1d6b3 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -247,6 +247,7 @@ def setUp(self): "compute:unlock_override", "compute:get_all_tenants", "compute:create:forced_host", +"compute:swap_volume", "compute_extension:accounts", "compute_extension:admin_actions", "compute_extension:admin_actions:resetNetwork", @@ -296,6 +297,7 @@ def setUp(self): "compute_extension:os-assisted-volume-snapshots:delete", "compute_extension:console_auth_tokens", "compute_extension:os-server-external-events:create", +"compute_extension:volume_attachments:update", "os_compute_api:servers:create:forced_host", "os_compute_api:servers:detail:get_all_tenants", "os_compute_api:servers:index:get_all_tenants", @@ -364,6 +366,7 @@ def setUp(self): "os_compute_api:os-console-auth-tokens", "os_compute_api:os-quota-class-sets:update", "os_compute_api:os-server-external-events:create", +"os_compute_api:os-volumes-attachments:update", "os_compute_api:servers:migrations:index", "os_compute_api:servers:migrations:show", ) @@ -456,7 +459,6 @@ def setUp(self): "compute:set_admin_password", "compute:snapshot", "compute:suspend", -"compute:swap_volume", "compute:unpause", "compute:unrescue", "compute:update", @@ -528,7 +530,6 @@ def setUp(self): "compute_extension:volume_attachments:index", "compute_extension:volume_attachments:show", "compute_extension:volume_attachments:create", -"compute_extension:volume_attachments:update", "compute_extension:volume_attachments:delete", "compute_extension:volumetypes", "compute_extension:availability_zone:list", @@ -617,7 +618,6 @@ def setUp(self): "os_compute_api:os-volumes-attachments:index", "os_compute_api:os-volumes-attachments:show", "os_compute_api:os-volumes-attachments:create", -"os_compute_api:os-volumes-attachments:update", "os_compute_api:os-volumes-attachments:delete", "os_compute_api:os-availability-zone:list", ) diff --git a/releasenotes/notes/swap-volume-policy-9464e97aba12d1e0.yaml b/releasenotes/notes/swap-volume-policy-9464e97aba12d1e0.yaml new file mode 100644 index 00000000000..91d83d2ac86 --- /dev/null +++ b/releasenotes/notes/swap-volume-policy-9464e97aba12d1e0.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - The default policy for updating volume attachments, commonly referred to as + swap volume, has been changed from ``rule:admin_or_owner`` to + ``rule:admin_api``. This is because it is called from the volume service + when migrating volumes, which is an admin-only operation by default, and + requires calling an admin-only API in the volume service upon completion. + So by default it would not work for non-admins.