[openstack-dev] [Openstack] How can I enable operation for non-admin user

Scott Devoid devoid at anl.gov
Thu Jun 26 04:31:31 UTC 2014


Hi Chen,


> I’m not an experienced developer, so , could you explain more about
>  “Perhaps the live_migrate task is passing the incorrect context in for
> this database query?” ?
>
Sorry, I should have clarified that that question was for the developers
*out there*. (cc's the dev list now). I'm not really a developer either so
we will have to see what they say. ;-)


>
>
> Here is what I understand.
>
> The issue is basically caused by  @require_admin_context for
> db.service_get_by_compute_host().
>
Yes, the request is failing because @require_admin_context only checks for
the "admin" role in the context. It's somewhat of a holdover from when
there was just admin and everything else.


> Then, should this a bug ?
>

Possibly. I can see why db.service_get_by_compute_host() should be an
admin-only call, but I am assuming that there must be a way for nova to
switch the running context to itself once it has authorized the
live-migrate task.

But I suspect few people have tried to allow non-admin's to live-migrate
and this is just a bug from that.

Why “nova migrate” command do not need to check compute host ?
>

Sorry, this is a bit fastidious, but I think "nova live-migrate" is what
you mean here. "nova migrate", I think, is still a completely separate
code-path. live-migrate needs to talk to both the source and destination
nova-compute services to coordinate and confirm the migration.


>
>
>
>
> Thanks.
>
> -chen
>
>
>
> *From:* Scott Devoid [mailto:devoid at anl.gov]
> *Sent:* Thursday, June 26, 2014 9:34 AM
> *To:* Li, Chen
> *Cc:* Sushma Korati; openstack at lists.openstack.org
> *Subject:* Re: [Openstack] How can I enable operation for non-admin user
>
>
>
> Hi Li,
>
>
>
> The problem here is that db.service_get_by_compute_host() requires admin
> context. [1] The live_migrate command needs to check that both hosts have a
> running nova-compute service before it begins migration. Perhaps the
> live_migrate task is passing the incorrect context in for this database
> query? [2] I would think that conductor should be running under it's own
> context and not the caller's context? (Devs?)
>
>
>
> And before someone comments that migration should always be *admin-only*,
> I'll point out that there are legitimate reasons an operator might want to
> give someone migrate permissions and not all admin permissions.
>
>
>
> ~ Scott
>
>
>
> [1]
> https://github.com/openstack/nova/blob/master/nova/db/sqlalchemy/api.py#L485
>
> [2]
> https://github.com/openstack/nova/blob/master/nova/conductor/tasks/live_migrate.py#L87
>
>
>
> On Tue, Jun 24, 2014 at 9:11 PM, Li, Chen <chen.li at intel.com> wrote:
>
> Hi Sushma,
>
>
>
> Thanks for the reply.
>
>
>
> Well, edit /etc/nova/policy.json do works for command “nova migrate”.
>
>
>
> But when I run command “nova live-migration”, I still get errors, in
>  /var/log/nova/conductor.log:
>
>
>
>
>
> 2014-06-25 02:07:23.897 115385 INFO oslo.messaging._drivers.impl_qpid [-]
> Connected to AMQP server on 192.168.40.122:5672
>
> 2014-06-25 02:08:59.221 115395 ERROR nova.conductor.manager
> [req-63f0a004-ef69-47f4-aefb-e0fa194d99b9 fa970646fa92442fa14b2b759cf381a6
> 2eb6bd3a69ad454a90489dd12b9cdf3b] Migration of instance
> 446d96d7-2073-46ac-b40c-0f167fbd04b2 to host None unexpectedly failed.
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager Traceback
> (most recent call last):
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 757, in
> _live_migrate
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager
> block_migration, disk_over_commit)
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py",
> line 191, in execute
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager     return
> task.execute()
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py",
> line 56, in execute
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager
> self._check_host_is_up(self.source)
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py",
> line 87, in _check_host_is_up
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager     service =
> db.service_get_by_compute_host(self.context, host)
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/db/api.py", line 129, in
> service_get_by_compute_host
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager     return
> IMPL.service_get_by_compute_host(context, host)
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/db/sqlalchemy/api.py", line 145, in
> wrapper
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager
> nova.context.require_admin_context(args[0])
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager   File
> "/usr/lib/python2.6/site-packages/nova/context.py", line 195, in
> require_admin_context
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager     raise
> exception.AdminRequired()
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager AdminRequired:
> User does not have admin privileges
>
> 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager
>
> 2014-06-25 02:08:59.226 115395 ERROR oslo.messaging.rpc.dispatcher [-]
> Exception during message handling: Migration error: User does not have
> admin privileges
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> Traceback (most recent call last):
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher   File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line
> 133, in _dispatch_and_reply
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> incoming.message))
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher   File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line
> 176, in _dispatch
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> return self._do_dispatch(endpoint, method, ctxt, args)
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher   File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line
> 122, in _do_dispatch
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> result = getattr(endpoint, method)(ctxt, **new_args)
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher   File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/server.py", line 139,
> in inner
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> return func(*args, **kwargs)
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher   File
> "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 681, in
> migrate_server
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> block_migration, disk_over_commit)
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher   File
> "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 783, in
> _live_migrate
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> raise exception.MigrationError(reason=ex)
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
> MigrationError: Migration error: User does not have admin privileges
>
> 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher
>
> 2014-06-25 02:08:59.228 115395 ERROR oslo.messaging._drivers.common [-]
> Returning exception Migration error: User does not have admin privileges to
> caller
>
> 2014-06-25 02:08:59.228 115395 ERROR oslo.messaging._drivers.common [-]
> ['Traceback (most recent call last):\n', '  File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line
> 133, in _dispatch_and_reply\n    incoming.message))\n', '  File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line
> 176, in _dispatch\n    return self._do_dispatch(endpoint, method, ctxt,
> args)\n', '  File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line
> 122, in _do_dispatch\n    result = getattr(endpoint, method)(ctxt,
> **new_args)\n', '  File
> "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/server.py", line 139,
> in inner\n    return func(*args, **kwargs)\n', '  File
> "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 681, in
> migrate_server\n    block_migration, disk_over_commit)\n', '  File
> "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 783, in
> _live_migrate\n    raise exception.MigrationError(reason=ex)\n',
> 'MigrationError: Migration error: User does not have admin privileges\n']
>
>
>
> *From:* Sushma Korati [mailto:sushma_korati at persistent.co.in]
> *Sent:* Tuesday, June 24, 2014 4:43 PM
> *To:* Li, Chen; openstack at lists.openstack.org
> *Subject:* RE: How can I enable operation for non-admin user
>
>
>
>
>
> Hi Li,
>
> As fas as I know to migrate an instance you'll need admin priviliges.
> But if you want to allow this operation for normal user then might try
> editing /etc/nova/policy.json file and give privileges.
>
> File: /etc/nova/policy.json
> change "compute_extension:admin_actions:migrate": "rule:admin_api" to
> "compute_extension:admin_actions:migrate": "*rule:admin_or_owner*"
>
>
> Regards,
> Sushma
>
>
>     ------------------------------
>
> *From:* Li, Chen <chen.li at intel.com>
> *Sent:* Tuesday, June 24, 2014 1:44 PM
> *To:* openstack at lists.openstack.org
> *Subject:* [Openstack] How can I enable operation for non-admin user
>
>
>
> Hi list,
>
>
>
> I’m working under CentOS + icehouse.
>
>
>
> While, I have an non-admin user “demo”, and I can work under this this
> user with basic operations.
>
> Everything works well.
>
>
>
> But, I also hope this user can do some admin operations, such as migrate
> and so on, because currently when I run command:
>
> nova migrate ${my_instance}
>
> I get output:
>
> ERROR: Policy doesn't allow compute_extension:admin_actions:migrate to be
> performed. (HTTP 403) (Request-ID: req-698ad5b5-f1fe-48fc-b81f-a765020bf89f)
>
>
>
> Anyone can help me ?
>
>
>
> Thanks.
>
> -chen
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140625/2d6e774f/attachment.html>


More information about the OpenStack-dev mailing list