Non-admin user can perform 'extra-specs-list'
This bug, inherited from Cinder, allows a tenant to view share
extra specs using the extra-specs-list CLI command. The Cinder
fix was to check the admin context in the DB layer and filter out
all extra specs for non-admins. This approach doesn't work for
Manila, because some extra specs are required and are effectively
part of the Manila API (DHSS, snapshot_support). So in Manila we
define a set of tenant-visible extra specs and restrict the extra
spec values to that set in the share type view builder. Also, we
add policies for the share type list APIs so that admins can
control access to those if desired.
The separate API to list extra specs already has adequate checking
for non-admin users; the CLI was listing the extra specs returned
by the share type API, which is now filtered as described.
Co-Authored-By: Andrew Kerr <andrew.kerr@netapp.com>
Change-Id: I9b0a8ddc064c246286f26760b703db6e3e1bcd46
Closes-Bug: #1475285
1 file changed