Currently, Cinder's policy.json does not exhaustively list all the policy actions within Cinder.
For example, volume:attach is enforced in code [0] but is not contained in the policy.json [1].
The implementation for policy enforcement in [0] is:
@functools.wraps(func)
def wrapped(self, context, target_obj, *args, **kwargs):
check_policy(context, func.__name__, target_obj)
return func(self, context, target_obj, *args, **kwargs)
return wrapped
This means that each endpoint with @wrap_check_policy decorator above it should
be included in the policy.json but this is not the case.
Currently, the following policy actions are missing:
"volume:attach": "rule:admin_or_owner",
"volume:detach": "rule:admin_or_owner",
"volume:reserve_volume": "rule:admin_or_owner",
"volume:unreserve_volume": "rule:admin_or_owner",
"volume:begin_detaching": "rule:admin_or_owner",
"volume:roll_detaching": "rule:admin_or_owner",
"volume:initialize_connection": "rule:admin_or_owner",
"volume:terminate_connection": "rule:admin_or_owner",
"volume:accept_transfer": "rule:admin_or_owner",
"volume:get_volume_image_metadata": "rule:admin_or_owner",
"volume:copy_volume_to_image": "rule:admin_or_owner",
"volume:extend": "rule:admin_or_owner",
"volume:migrate_volume": "rule:admin_or_owner",
"volume:migrate_volume_completion": "rule:admin_or_owner",
"volume:attachment_create": "rule:admin_or_owner",
"volume:attachment_update": "rule:admin_or_owner",
"volume:attachment_delete": "rule:admin_or_owner",
[0] https://github.com/openstack/cinder/blob/master/cinder/volume/api.py
[1] https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json
Fix proposed to branch: master
Review: https:/