---- On Fri, 18 Apr 2025 08:58:45 -0700 federica fanzago <federica.fanzago@pd.infn.it> wrote ---
Dear all,
I'm running OpenStack Caracal on AlmaLinux 9.5 and I'm trying to modify the nova policy file to allow the reboot of a server only to the admin and to the owner of the VM (but not to all members of the same project). I have updated the policy (as I already dis for other actions like stop) as follows: "os_compute_api:servers:reboot": "rule:context_is_admin or user_id:%(user_id)s"
The issue here is who you consider the 'owner of the VM'. Nove does not enforce the user id to decide the ownership of the resources. It only uses project id of the resources to decide the ownership or RBAC permission control. In your case, below is the right way for RBAC permission: "os_compute_api:servers:reboot": "rule:context_is_admin or role:member and project_id:%(project_id)s" And this is what default RBAC is, so basically, you do not need to modify the policy at all. For "server stop" operation, the user id works because we have kept the user id enforcement for a few of the server operations (it is kept because of backward compatibility). When we tried to remove that, we were asked to keep it as it is so that it would not break existing users[1]. But it is creating more confusion now, and we should remove those. I will discuss and work on that. [1] https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/us... -gmann
But the owner is unable to perform the reboot.
When I try to reboot one of my own instances I get the following error:
>openstack server reboot 97a32e4c-2e56-4d75-b0c4-5ac4da278421 --debug Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/cliff/app.py", line 410, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python3.9/site-packages/osc_lib/command/command.py", line 38, in run return super(Command, self).run(parsed_args) File "/usr/lib/python3.9/site-packages/cliff/command.py", line 181, in run return_code = self.take_action(parsed_args) or 0 File "/usr/lib/python3.9/site-packages/openstackclient/compute/v2/server.py", line 3279, in take_action compute_client.reboot_server(server_id, parsed_args.reboot_type) File "/usr/lib/python3.9/site-packages/openstack/compute/v2/_proxy.py", line 879, in reboot_server server.reboot(self, reboot_type) File "/usr/lib/python3.9/site-packages/openstack/compute/v2/server.py", line 353, in reboot self._action(session, body) File "/usr/lib/python3.9/site-packages/openstack/compute/v2/server.py", line 318, in _action exceptions.raise_from_response(response) File "/usr/lib/python3.9/site-packages/openstack/exceptions.py", line 247, in raise_from_response raise cls( openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: https://cloud-areapd-test.pd.infn.it:8774/v2.1/servers/97a32e4c-2e56-4d75-b0..., Policy doesn't allow os_compute_api:servers:reboot to be performed. clean_up RebootServer: ForbiddenException: 403: Client Error for url: https://cloud-areapd-test.pd.infn.it:8774/v2.1/servers/97a32e4c-2e56-4d75-b0..., Policy doesn't allow os_compute_api:servers:reboot to be performed. END return value: 1 Do you know what could be causing this? I’m able to start and stop this same VM without any issues, so I expected reboot to work with the same policy. Thanks, cheers Federica
-- Federica FanzagoINFN Sezione di PadovaVia Marzolo, 835131 Padova - ItalyTel: +39 049.967.7367 --