Re: [Openstack] Cinder policy.json

[Adam Young]

On 05/09/2017 06:39 AM, ch...@foxmail.com wrote:
Hello:
    I want every one can access a volume I created in cinder as admin, 
so I changed /etc/cinder/policy.json as bellow, but it won't work. 
Why? And how to do it?
Thanks!
policy.json

So, debugging policy is a pain.  What operation specifically fails?
You also might want to make the default into something more specific, 
such as "check that the project matches and the user has either the 
Member or admin role"  Or, if you just want it to always pass, you can 
make it a true check.


"default": "",





{
    "context_is_admin": "role:admin",
    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "",

    "admin_api": "is_admin:True",

    "volume:create": "",
    "volume:delete": "",
    "volume:get": "",
    "volume:get_all": "",
    "volume:get_volume_metadata": "",
    "volume:delete_volume_metadata": "",
    "volume:update_volume_metadata": "",
    "volume:get_volume_admin_metadata": "rule:admin_api",
    "volume:update_volume_admin_metadata": "rule:admin_api",
    "volume:get_snapshot": "",
    "volume:get_all_snapshots": "",
    "volume:create_snapshot": "",
    "volume:delete_snapshot": "",
    "volume:update_snapshot": "",
    "volume:extend": "",
    "volume:update_readonly_flag": "",
    "volume:retype": "",
    "volume:update": "",

    "volume_extension:types_manage": "rule:admin_api",
    "volume_extension:types_extra_specs": "rule:admin_api",
    "volume_extension:access_types_qos_specs_id": "rule:admin_api",
    "volume_extension:access_types_extra_specs": "rule:admin_api",
    "volume_extension:volume_type_access": "",
    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
    "volume_extension:volume_type_encryption": "rule:admin_api",
    "volume_extension:volume_encryption_metadata": "",
    "volume_extension:extended_snapshot_attributes": "",
    "volume_extension:volume_image_metadata": "",

    "volume_extension:quotas:show": "",
    "volume_extension:quotas:update": "rule:admin_api",
    "volume_extension:quotas:delete": "rule:admin_api",
    "volume_extension:quota_classes": "rule:admin_api",
    "volume_extension:quota_classes:validate_setup_for_nested_quota_use": 
"rule:admin_api",

    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
    "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
    "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
    "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
    "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
    "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
    "volume_extension:volume_admin_actions:migrate_volume_completion": 
"rule:admin_api",

    "volume_extension:volume_host_attribute": "rule:admin_api",
    "volume_extension:volume_tenant_attribute": "",
    "volume_extension:volume_mig_status_attribute": "rule:admin_api",
    "volume_extension:hosts": "rule:admin_api",
    "volume_extension:services:index": "rule:admin_api",
    "volume_extension:services:update" : "rule:admin_api",

    "volume_extension:volume_manage": "rule:admin_api",
    "volume_extension:volume_unmanage": "rule:admin_api",

    "volume_extension:capabilities": "rule:admin_api",

    "volume:create_transfer": "",
    "volume:accept_transfer": "",
    "volume:delete_transfer": "",
    "volume:get_all_transfers": "",

    "volume_extension:replication:promote": "rule:admin_api",
    "volume_extension:replication:reenable": "rule:admin_api",

    "volume:enable_replication": "rule:admin_api",
    "volume:disable_replication": "rule:admin_api",
    "volume:failover_replication": "rule:admin_api",
    "volume:list_replication_targets": "rule:admin_api",

    "backup:create" : "",
    "backup:delete": "",
    "backup:get": "",
    "backup:get_all": "",
    "backup:restore": "",
    "backup:backup-import": "rule:admin_api",
    "backup:backup-export": "rule:admin_api",

    "snapshot_extension:snapshot_actions:update_snapshot_status": "",
    "snapshot_extension:snapshot_manage": "rule:admin_api",
    "snapshot_extension:snapshot_unmanage": "rule:admin_api",

    "consistencygroup:create" : "group:nobody",
    "consistencygroup:delete": "group:nobody",
    "consistencygroup:update": "group:nobody",
    "consistencygroup:get": "group:nobody",
    "consistencygroup:get_all": "group:nobody",

    "consistencygroup:create_cgsnapshot" : "group:nobody",
    "consistencygroup:delete_cgsnapshot": "group:nobody",
    "consistencygroup:get_cgsnapshot": "group:nobody",
    "consistencygroup:get_all_cgsnapshots": "group:nobody",

    "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api"
}

------------------------------------------------------------------------
ch...@foxmail.com


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack