commit f738483e843fc27379b85c5401859ccc854adc5e
Author: Matt Riedemann <email address hidden>
Date: Wed Mar 30 22:07:47 2016 -0400
Make swap-volume an admin-only API by default
Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.
When Cinder is doing a volume migration, it calls Nova's swap-volume
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_volume_completion API to signal Nova is done and Cinder
can finish the volume migration.
The problem is that swap-volume is not an admin-only API in Nova
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_volume_completion API, since that requires an
admin user.
Also, because of 98739761f17b5e0b32abd8cd262f5beda030f886 we can't
simply avoid calling migrate_volume_completion for non-migration
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.
So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.
Reviewed: https:/ /review. openstack. org/299715 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=f738483e843 fc27379b85c5401 859ccc854adc5e
Committed: https:/
Submitter: Jenkins
Branch: master
commit f738483e843fc27 379b85c5401859c cc854adc5e
Author: Matt Riedemann <email address hidden>
Date: Wed Mar 30 22:07:47 2016 -0400
Make swap-volume an admin-only API by default
Cinder's volume migration API is, by default, an admin-only operation. volume_ completion API.
This includes the migrate_
When Cinder is doing a volume migration, it calls Nova's swap-volume volume_ completion API to signal Nova is done and Cinder
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_
can finish the volume migration.
The problem is that swap-volume is not an admin-only API in Nova volume_ completion API, since that requires an
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_
admin user.
Also, because of 98739761f17b5e0 b32abd8cd262f5b eda030f886 we can't volume_ completion for non-migration
simply avoid calling migrate_
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.
So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.
Change-Id: Iac03258735f3d8 56a474ab96fe9b0 a087e32906f
Closes-Bug: #1522705