用户可见的额外规格¶
从 Xena 版本开始,某些卷类型 extra specs(即属性)被认为是用户可见的,这意味着它们的可见性不限于云管理员。此功能为普通用户提供更多关于可用的卷类型的信息,并帮助他们在使用创建卷时做出更明智的选择。
以下 extra spec 键被视为用户可见
RESKEY:availability_zonesmultiattachreplication_enabled
注意
用户可见的
extra specs集合是一个固定的列表,不可配置。此功能完全基于策略,不需要新的微版本。
使用 openstack 客户端的行为¶
考虑以下卷类型,从管理员的角度来看。在此示例中,multiattach 是一个用户可见的 extra spec,而 volume_backend_name 则不是。
# Administrator behavior
[admin@host]$ openstack volume type show vol_type
+--------------------+-------------------------------------------------------+
| Field | Value |
+--------------------+-------------------------------------------------------+
| access_project_ids | None |
| description | None |
| id | d03a0f33-e695-4f5c-b712-7d92abbf72be |
| is_public | True |
| name | vol_type |
| properties | multiattach='<is> True', volume_backend_name='secret' |
| qos_specs_id | None |
+--------------------+-------------------------------------------------------+
当普通用户执行相同的命令时,以下是输出结果。请注意,仅列出了用户可见的 multiattach 属性。
# Regular user behavior
[user@host]$ openstack volume type show vol_type
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| access_project_ids | None |
| description | None |
| id | d03a0f33-e695-4f5c-b712-7d92abbf72be |
| is_public | True |
| name | vol_type |
| properties | multiattach='<is> True' |
+--------------------+--------------------------------------+
列出卷类型的行为类似。管理员将看到所有 extra specs,但普通用户将仅看到用户可见的 extra specs。
# Administrator behavior
[admin@host]$ openstack volume type list --long
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
| ID | Name | Is Public | Description | Properties |
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | True | None | multiattach='<is> True', volume_backend_name='secret' |
| 80f38273-f4b9-4862-a4e6-87692eb66a96 | __DEFAULT__ | True | Default Volume Type | |
+--------------------------------------+-------------+-----------+---------------------+-------------------------------------------------------+
# Regular user behavior
[user@host]$ openstack volume type list --long
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
| ID | Name | Is Public | Description | Properties |
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | True | None | multiattach='<is> True' |
| 80f38273-f4b9-4862-a4e6-87692eb66a96 | __DEFAULT__ | True | Default Volume Type | |
+--------------------------------------+-------------+-----------+---------------------+-------------------------+
普通用户可以查看这些属性,但不能修改它们。非管理员尝试修改用户可见的属性将失败。
[user@host]$ openstack volume type set --property multiattach='<is> False' vol_type
Failed to set volume type property: Policy doesn't allow
volume_extension:types_extra_specs:create to be performed. (HTTP 403)
使用 extra specs 过滤¶
API 微版本 3.52 添加了支持使用 extra specs 过滤卷类型列表的功能。普通用户可以使用该功能来过滤用户可见的 extra specs。如果普通用户尝试使用非用户可见的 extra spec 进行过滤,则返回一个空列表。
# Administrator behavior
[admin@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"multiattach":"<is> True"}
+--------------------------------------+----------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | - | True |
+--------------------------------------+----------+-------------+-----------+
[admin@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"volume_backend_name":"secret"}
+--------------------------------------+----------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | - | True |
+--------------------------------------+----------+-------------+-----------+
# Regular user behavior
[user@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"multiattach":"<is> True"}
+--------------------------------------+----------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+----------+-------------+-----------+
| d03a0f33-e695-4f5c-b712-7d92abbf72be | vol_type | - | True |
+--------------------------------------+----------+-------------+-----------+
[user@host]$ cinder --os-volume-api-version 3.52 type-list \
> --filters extra_specs={"volume_backend_name":"secret"}
+----+------+-------------+-----------+
| ID | Name | Description | Is_Public |
+----+------+-------------+-----------+
+----+------+-------------+-----------+
安全注意事项¶
如果云管理员不希望向普通用户暴露任何 extra specs,可以通过将以下策略设置为其 Xena 之前的默认值来恢复以前的行为。
"volume_extension:access_types_extra_specs": "rule:admin_api"
"volume_extension:types_extra_specs:index": "rule:admin_api"
"volume_extension:types_extra_specs:show": "rule:admin_api"
要限制普通用户使用 extra specs 过滤卷类型列表,请修改 /etc/cinder/resource_filters.json 以将 “volume_type” 条目恢复为其 Xena 之前的默认值。
"volume_type": ["is_public"]
