[nova][cinder][keystone] Unshelve in nova, cinder initialize_connection with user context
Matt Riedemann
mriedemos at gmail.com
Fri Apr 12 02:14:42 UTC 2019
On 4/11/2019 10:52 AM, Colleen Murphy wrote:
> Forgive my unfamiliarity with the nova and cinder APIs but it sounds like the shelve operation in nova is a purely nova-side API, while the unshelve operation calls cinder's volume-attach API if the instance had a mounted volume before it was shelved. Since the operation involves cinder, you'd have to update the cinder policy to allow this unprivileged user to perform the volume-attach action. It's not really a bug, it's just fallout from having policies managed separately for separate services.
Correct, the user has to also be able to attach/detach volumes to/from
their server since shelve/unshelve does that under the covers more or less.
The same actually happens with ports, but you have to configure nova to
have access to neutron's port binding API which is elevated (admin or
service user token) beyond the normal user auth.
Mitaka doesn't have configuration like that for cinder in nova, it was
added a bit later but there is a patch being backported which you could
also try to backport to mitaka - but it might be a bit messy (the
keystoneauth stuff wasn't being used by nova in mitaka):
https://review.openstack.org/#/c/603044/
--
Thanks,
Matt
More information about the openstack-discuss
mailing list