[nova][ops] Problem with nova policies for resume operation

Takashi Kajinami tkajinam at redhat.com
Mon Feb 7 16:03:29 UTC 2022 

Quickly checking the current code, it seems support for user_id was
introduced to only suspend api[1]
 [1] https://review.opendev.org/c/openstack/nova/+/353344

I've opened a bug for nova[2] because supporting consistent rules for
suspend and resume
makes clear sense to me.
 [2] https://bugs.launchpad.net/nova/+bug/1960247


On Tue, Feb 8, 2022 at 12:25 AM Massimo Sgaravatto <
massimo.sgaravatto at gmail.com> wrote:

> Dear all
>
> I am running a Xena installation
>
> I have modified the nova policy fail so that certain operations can be
> done only by the user who created the instance, or by the administrator
> This [*] is my policy.yaml file.
> While the suspend operation works as intended (I can suspend only my
> instances and I am not allowed to suspend an instance created by another
> user) I am not able to resume an instance that I own and that I have
> previously suspended.
> I get this error:
>
> ERROR (Forbidden): Policy doesn't allow
> os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403)
> (Request-ID: req-c57458bc-b1ea-4b40-a1d2-0f67608ef673)
>
> Only removing the line:
>
> "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
> user_id:%(user_id)s"
>
> from the policy file, I am able to resume the instance.
>
> I am not able to understand what is wrong with that policy. Any hints ?
>
> Thanks, Massimo
>
>
> [*]
>
> # Pause a server
> # POST  /servers/{server_id}/action (pause)
> # Intended scope(s): system, project
> "os_compute_api:os-pause-server:pause": "rule:admin_api or
> user_id:%(user_id)s"
>
> # Delete a server
> # DELETE  /servers/{server_id}
> # Intended scope(s): system, project
> "os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"
>
> # Resize a server
> # POST  /servers/{server_id}/action (resize)
> # Intended scope(s): system, project
> "os_compute_api:servers:resize": "rule:admin_api or user_id:%(user_id)s"
>
> # Rebuild a server
> # POST  /servers/{server_id}/action (rebuild)
> # Intended scope(s): system, project
> "os_compute_api:servers:rebuild": "rule:admin_api or user_id:%(user_id)s"
>
> # Stop a server
> # POST  /servers/{server_id}/action (os-stop)
> # Intended scope(s): system, project
> "os_compute_api:servers:stop": "rule:admin_api or user_id:%(user_id)s"
>
> # Resume suspended server
> # POST  /servers/{server_id}/action (resume)
> # Intended scope(s): system, project
> "os_compute_api:os-suspend-server:resume": "rule:admin_api or
> user_id:%(user_id)s"
>
> # Suspend server
> # POST  /servers/{server_id}/action (suspend)
> # Intended scope(s): system, project
> "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
> user_id:%(user_id)s"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220208/0d28581a/attachment.htm>

More information about the openstack-discuss mailing list