Policies

Shared File Systems service has its own role-based access policies. They determine which user can access which objects in which way, and are defined in the service’s policy.json file.

Tip

The configuration file policy.json may be placed anywhere. The path /etc/manila/policy.json is expected by default.

Whenever an API call to the Shared File Systems service is made, the policy engine uses the appropriate policy definitions to determine if the call can be accepted.

A policy rule determines under which circumstances the API call is permitted. The /etc/manila/policy.json file has rules where action is always permitted, when the rule is an empty string: ""; the rules based on the user role or rules; rules with boolean expressions. Below is a snippet of the policy.json file for the Shared File Systems service. From one OpenStack release to another it can be changed.

{
    "context_is_admin": "role:admin",
    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
    "share_extension:quotas:show": "",
    "share_extension:quotas:update": "rule:admin_api",
    "share_extension:quotas:delete": "rule:admin_api",
    "share_extension:quota_classes": "",
}

Users must be assigned to groups and roles that you refer to in your policies. This is done automatically by the service when user management commands are used.

Note

Any changes to /etc/manila/policy.json are effective immediately, which allows new policies to be implemented while the Shared File Systems service is running. Manual modification of the policy can have unexpected side effects and is not encouraged. For details, see The policy.json file.