[nova][cinder][keystone] Unshelve in nova, cinder initialize_connection with user context

Matt Riedemann mriedemos at gmail.com
Fri Apr 12 02:14:42 UTC 2019

On 4/11/2019 10:52 AM, Colleen Murphy wrote:
> Forgive my unfamiliarity with the nova and cinder APIs but it sounds like the shelve operation in nova is a purely nova-side API, while the unshelve operation calls cinder's volume-attach API if the instance had a mounted volume before it was shelved. Since the operation involves cinder, you'd have to update the cinder policy to allow this unprivileged user to perform the volume-attach action. It's not really a bug, it's just fallout from having policies managed separately for separate services.

Correct, the user has to also be able to attach/detach volumes to/from 
their server since shelve/unshelve does that under the covers more or less.

The same actually happens with ports, but you have to configure nova to 
have access to neutron's port binding API which is elevated (admin or 
service user token) beyond the normal user auth.

Mitaka doesn't have configuration like that for cinder in nova, it was 
added a bit later but there is a patch being backported which you could 
also try to backport to mitaka - but it might be a bit messy (the 
keystoneauth stuff wasn't being used by nova in mitaka):





More information about the openstack-discuss mailing list