Dear all,
I'm running OpenStack Caracal on AlmaLinux 9.5 and I'm trying to
modify the nova policy file to allow the reboot of a server only
to the admin and to the owner of the VM (but not to all members of
the same project).
I have updated the policy (as I already dis for other actions like stop) as follows:
"os_compute_api:servers:reboot": "rule:context_is_admin or user_id:%(user_id)s"
But the owner is unable to perform the reboot.
When I try to reboot one of my own instances I get the following
error:
>openstack server reboot 97a32e4c-2e56-4d75-b0c4-5ac4da278421 --debug
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/cliff/app.py", line 410, in
run_subcommand
result = cmd.run(parsed_args)
File
"/usr/lib/python3.9/site-packages/osc_lib/command/command.py",
line 38, in run
return super(Command, self).run(parsed_args)
File "/usr/lib/python3.9/site-packages/cliff/command.py", line
181, in run
return_code = self.take_action(parsed_args) or 0
File
"/usr/lib/python3.9/site-packages/openstackclient/compute/v2/server.py",
line 3279, in take_action
compute_client.reboot_server(server_id, parsed_args.reboot_type)
File
"/usr/lib/python3.9/site-packages/openstack/compute/v2/_proxy.py",
line 879, in reboot_server
server.reboot(self, reboot_type)
File
"/usr/lib/python3.9/site-packages/openstack/compute/v2/server.py",
line 353, in reboot
self._action(session, body)
File
"/usr/lib/python3.9/site-packages/openstack/compute/v2/server.py",
line 318, in _action
exceptions.raise_from_response(response)
File "/usr/lib/python3.9/site-packages/openstack/exceptions.py",
line 247, in raise_from_response
raise cls(
openstack.exceptions.ForbiddenException: ForbiddenException: 403:
Client Error for url: https://cloud-areapd-test.pd.infn.it:8774/v2.1/servers/97a32e4c-2e56-4d75-b0c4-5ac4da278421/action,
Policy doesn't allow os_compute_api:servers:reboot to be
performed.
clean_up RebootServer: ForbiddenException: 403: Client Error for
url: https://cloud-areapd-test.pd.infn.it:8774/v2.1/servers/97a32e4c-2e56-4d75-b0c4-5ac4da278421/action,
Policy doesn't allow os_compute_api:servers:reboot to be
performed.
END return value: 1
Do you know what could be causing this?
I’m able to start and stop this same VM without any issues, so I expected reboot to work with the same policy.
Thanks,
cheers
Federica
-- Federica Fanzago INFN Sezione di Padova Via Marzolo, 8 35131 Padova - Italy Tel: +39 049.967.7367 --