Open Stack

> -----Original Message-----
> From: Ghanshyam Mann <gmann at ghanshyammann.com>
> Sent: mercredi, 28 juillet 2021 18:54
> To: Taltavull Jean-Francois <jean-francois.taltavull at elca.ch>
> Cc: openstack-discuss at lists.openstack.org
> Subject: Re: [nova][wallaby] Nova policy rule project_member_api not effective
> 
> 
> 
> EXTERNAL MESSAGE - This email comes from outside ELCA companies.
> 
>  ---- On Wed, 28 Jul 2021 10:12:33 -0500 Taltavull Jean-Francois <jean-
> francois.taltavull at elca.ch> wrote ----  > Hi All,  >  > Despite the fact that
> oslopolicy-policy-generator --namespace nova shows the rules
> "project_member_api": "role:member and project_id:%(project_id)s" and
> "os_compute_api:servers:create": "rule:project_member_api", it is still possible
> to create a server even if you only have the role "member" on the project.
>  >
>  > Is this behavior normal or not ? Must we consider that we are in a phase of
> transition about nova default policies ?
> 
> Yes, we still support the old policy where project member are allowed to create
> servers. But even with the new default also, project member is allowed and they
> can create the server. That is expected behavior.
> 
> Where other defaults which added more restriction and moving from project
> member to admin or system admin/reader role, you can still use the old token to
> perform those operation as old default are still supported until we completly
> move to new defaults.
> But you can disable the old policy enforcement via config option
> 'enforce_new_defaults' and enforce the scope check via 'enforce_scope' in
> nova conf like below:
> 
> [oslo_policy]
> enforce_scope = True
> enforce_new_defaults = true
> 
> [1]
> https://github.com/openstack/nova/blob/97e1a6bece29e383f55bb969c699831
> 53df9ffc7/nova/policies/servers.py#L168
> 
> -gmann

I added and applied these two nova parameters but now "server create" fails on network attachment and some admin actions, like "hypervisor list", fail in 403.

-JF