[nova][ops] Problem with nova policies for resume operation

Massimo Sgaravatto massimo.sgaravatto at gmail.com
Mon Feb 7 15:21:05 UTC 2022


Dear all

I am running a Xena installation

I have modified the nova policy fail so that certain operations can be done
only by the user who created the instance, or by the administrator
This [*] is my policy.yaml file.
While the suspend operation works as intended (I can suspend only my
instances and I am not allowed to suspend an instance created by another
user) I am not able to resume an instance that I own and that I have
previously suspended.
I get this error:

ERROR (Forbidden): Policy doesn't allow
os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403)
(Request-ID: req-c57458bc-b1ea-4b40-a1d2-0f67608ef673)

Only removing the line:

"os_compute_api:os-suspend-server:suspend": "rule:admin_api or
user_id:%(user_id)s"

from the policy file, I am able to resume the instance.

I am not able to understand what is wrong with that policy. Any hints ?

Thanks, Massimo


[*]

# Pause a server
# POST  /servers/{server_id}/action (pause)
# Intended scope(s): system, project
"os_compute_api:os-pause-server:pause": "rule:admin_api or
user_id:%(user_id)s"

# Delete a server
# DELETE  /servers/{server_id}
# Intended scope(s): system, project
"os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"

# Resize a server
# POST  /servers/{server_id}/action (resize)
# Intended scope(s): system, project
"os_compute_api:servers:resize": "rule:admin_api or user_id:%(user_id)s"

# Rebuild a server
# POST  /servers/{server_id}/action (rebuild)
# Intended scope(s): system, project
"os_compute_api:servers:rebuild": "rule:admin_api or user_id:%(user_id)s"

# Stop a server
# POST  /servers/{server_id}/action (os-stop)
# Intended scope(s): system, project
"os_compute_api:servers:stop": "rule:admin_api or user_id:%(user_id)s"

# Resume suspended server
# POST  /servers/{server_id}/action (resume)
# Intended scope(s): system, project
"os_compute_api:os-suspend-server:resume": "rule:admin_api or
user_id:%(user_id)s"

# Suspend server
# POST  /servers/{server_id}/action (suspend)
# Intended scope(s): system, project
"os_compute_api:os-suspend-server:suspend": "rule:admin_api or
user_id:%(user_id)s"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220207/3751bd7e/attachment-0001.htm>


More information about the openstack-discuss mailing list