Support metadata for access rule¶
https://blueprints.launchpad.net/manila/+spec/metadata-for-access-rule
Add a new “metadata” property for access rule resource.
Problem description¶
Access rule resource lacks the ability for getting/setting metadata property.
Use Cases¶
The metadata here for access rule is the descriptive metadata. It’s used for discovery and identification. Users could add key-value pairs for the access rules to describe them. Users could also filter access rules with specified metadata while requesting a list of access rules.
Proposed change¶
The “metadata” property will be added to access rule object.
A new DB table “share_access_rules_metadata” will be created.
The access rule create API will be updated to support “metadata”.
A set of APIs will be created for access rule metadata’s CRUD.
Alternatives¶
We can only get the desired access rule value by access_to. There is no way to tag what the access rule is by the user or add some special info to access.
Data model impact¶
The new “share_access_rules_metadata” table will be created in DB and it will include access rule id. The primary key is “id”. We could get information of the access_rules table by the access rule id.
+-------------------+--------------+-------------+-------------+-----------------+
| key | value | id | deleted | access_id |
+-------------------+--------------+-------------+-------------+-----------------+
| varchar(255) | varchar(255) | varchar(36) | varchar(36) | varchar(36) |
+-------------------+--------------+-------------+-------------+-----------------+
| varchar(255) | varchar(255) | varchar(36) | varchar(36) | varchar(36) |
+-------------------+--------------+-------------+-------------+-----------------+`
REST API impact¶
It will follow the microversion rules.
The access rule create API’s request body will be updated to support “metadata”.
POST /v2/{project_id}/shares/{share_id}/action the request body can contain "metadata". { "allow_access":{ "metadata":{ "key1": "value1", "key2": "value2" } ... } }
A set of new APIs related to access rule metadata will be created.
Show an access rule’s metadata
GET /v2/{project_id}/share-access-rules/{access_id} Response { "access": { "access_level": "rw", "state": "error", "id": "507bf114-36f2-4f56-8cf4-857985ca87c1", "access_type": "cert", "access_to": "example.com", "access_key": null, "metadata": { "key1": "value1", "key2": "value2" } } }
List access rules filtered by access rule metadata
GET /v2/{project_id}/share-access-rules?share_id={share-id}&key1=value1&key2=value2 Response { "accesses": [ { "access_level": "rw", "state": "active", "id": "507bf114-36f2-4f56-8cf4-857985ca87c1", "access_type": "cert", "access_to": "example.com", "access_key": null, "metadata": { "key1": "value1", "key2": "value2" } }, { "access_level": "rw", "state": "error", "id": "329bf795-2cd5-69s2-cs8d-857985ca3652", "access_type": "ip", "access_to": "10.0.0.2", "access_key": null, "metadata": { "key1": "value1", "key2": "value2" } }, ] }
The “share_id” is a mandatory query key, and the API will respond with HTTP 400 if the “share_id” is not provided.
Note
The current access rules list API accepts HTTP POST requests. To ensure correct HTTP semantics around idempotent and safe information retrieval, we will introduce a new API that accepts GET requests. The old API will be capped with a maximum micro-version, i.e, it will not be available from the micro-version that this new API is introduced within.
Remove one specified metadata
DELETE /v2/{project_id}/share-access-rules/{access_id}/metadata/{key}
If we don’t input the “key” value, manila won’t remove any metadata and return HTTP 400.
Update a specified metadata
PUT /v2/{project_id}/share-access-rules/{access_id}/metadata Request { "metadata":{ "key1": "value1", "key2": "value2" } }
If we don’t input the “key” value, it won’t update any metadata and return error.
Security impact¶
None
Notifications impact¶
The new APIs will send new notifications as well.
Other end user impact¶
The Manila client, CLI will be extended to support access metadata.
The access-allow command with access metadata supported will be like:
manila access-allow [--metadata <key=value> [<key=value> ...]] [--access-level <access_level>] <share> <access_type> <access_to>
The new access-metadata command will be like:
manila access-metadata <access_id> <action> <key=value> [<key=value> ...] Set or delete metadata on a access rule. Positional arguments: <access_id> ID of the access rule to update metadata on. <action> Actions: "set" or "unset" to set or delete metadata on a access rule. <key=value> Metadata to set or unset, only key is necessary to unset.
The new access-show command with access metadata supported will be like:
manila access-show <access_id> Show information of given access rule. Positional arguments: <access_id> ID of the access rule to update metadata on.
The access-deny command will delete all access rule metadata. The command syntax won’t be changed:
manila access-deny <share> <id>
The access-list command will add metadata filter. The command will be like:
manila access-list [--columns <columns>] <share> [--metadata [<key=value> [<key=value> ...]]] Show access list for share. Positional arguments: <share> Name or ID of the share. Optional arguments: --columns Comma separated list of columns to be displayed example –columns “access_type,access_to”. --metadata Filters results by a metadata key and value. OPTIONAL: Default=None.
Performance Impact¶
A new “share_access_rules_metadata” table will be created. The DB join action may cause the search performance to reduce on the existing access rules APIs.
Other deployer impact¶
None
Developer impact¶
Drivers will not have access to the metadata, and the driver interfaces for update_access will not be modified.
Implementation¶
Assignee(s)¶
- Primary assignee:
zhongjun
Work Items¶
Add metadata property to access rule object and bump the APIs version.
Create a new DB table “share_access_rules_metadata” and add db upgrade script.
Update access rule create/list API.
Add update/delete APIs for access rule metadata.
Add new tests within openstack/manila-tempest-plugin for the new APIs.
Allow adding/updating/deleting access rule metadata in Manila UI and python-manilaclient.
Dependencies¶
None
Testing¶
Unit tests
Tempest tests
Documentation Impact¶
Api-ref needs update.
update user documentation and CLI documentation
References¶
None