[nova][wallaby] Nova policy rule project_member_api not effective

Ghanshyam Mann gmann at ghanshyammann.com
Fri Jul 30 16:51:37 UTC 2021




 ---- On Fri, 30 Jul 2021 02:59:22 -0500 Taltavull Jean-Francois <jean-francois.taltavull at elca.ch> wrote ----
 > > -----Original Message-----
 > > From: Ghanshyam Mann <gmann at ghanshyammann.com>
 > > Sent: mercredi, 28 juillet 2021 18:54
 > > To: Taltavull Jean-Francois <jean-francois.taltavull at elca.ch>
 > > Cc: openstack-discuss at lists.openstack.org
 > > Subject: Re: [nova][wallaby] Nova policy rule project_member_api not effective
 > > 
 > > 
 > > 
 > > EXTERNAL MESSAGE - This email comes from outside ELCA companies.
 > > 
 > >  ---- On Wed, 28 Jul 2021 10:12:33 -0500 Taltavull Jean-Francois <jean-
 > > francois.taltavull at elca.ch> wrote ----  > Hi All,  >  > Despite the fact that
 > > oslopolicy-policy-generator --namespace nova shows the rules
 > > "project_member_api": "role:member and project_id:%(project_id)s" and
 > > "os_compute_api:servers:create": "rule:project_member_api", it is still possible
 > > to create a server even if you only have the role "member" on the project.
 > >  >
 > >  > Is this behavior normal or not ? Must we consider that we are in a phase of
 > > transition about nova default policies ?
 > > 
 > > Yes, we still support the old policy where project member are allowed to create
 > > servers. But even with the new default also, project member is allowed and they
 > > can create the server. That is expected behavior.
 > > 
 > > Where other defaults which added more restriction and moving from project
 > > member to admin or system admin/reader role, you can still use the old token to
 > > perform those operation as old default are still supported until we completly
 > > move to new defaults.
 > > But you can disable the old policy enforcement via config option
 > > 'enforce_new_defaults' and enforce the scope check via 'enforce_scope' in
 > > nova conf like below:
 > > 
 > > [oslo_policy]
 > > enforce_scope = True
 > > enforce_new_defaults = true
 > > 
 > > [1]
 > > https://github.com/openstack/nova/blob/97e1a6bece29e383f55bb969c699831
 > > 53df9ffc7/nova/policies/servers.py#L168
 > > 
 > > -gmann
 > 
 > I added and applied these two nova parameters but now "server create" fails on network attachment and some admin actions, like "hypervisor list", fail in 403.

are you attaching external network? if so then you need project admin role[1] to create server on external network attachment.

For hypervisor list API any many other needs new system role now.  By setting these two flag true, you need to start using the
'system' scoped token and system reader or admin will be able to list hypervisor.

You can find all the new defaults in this doc and use the token permission accordingly
- https://docs.openstack.org/nova/latest/configuration/policy.html  

[1] https://github.com/openstack/nova/blob/5ddaf36f3bec6910c59e3ec59d83b4e3a8d3d59c/nova/policies/servers.py#L294


-gmann

 > 
 > -JF
 > 



More information about the openstack-discuss mailing list