[nova][wallaby] Nova policy rule project_member_api not effective
Hi All, Despite the fact that oslopolicy-policy-generator --namespace nova shows the rules "project_member_api": "role:member and project_id:%(project_id)s" and "os_compute_api:servers:create": "rule:project_member_api", it is still possible to create a server even if you only have the role "member" on the project. Is this behavior normal or not ? Must we consider that we are in a phase of transition about nova default policies ? Thanks, Jean-Francois
---- On Wed, 28 Jul 2021 10:12:33 -0500 Taltavull Jean-Francois <jean-francois.taltavull@elca.ch> wrote ----
Hi All,
Despite the fact that oslopolicy-policy-generator --namespace nova shows the rules "project_member_api": "role:member and project_id:%(project_id)s" and "os_compute_api:servers:create": "rule:project_member_api", it is still possible to create a server even if you only have the role "member" on the project.
Is this behavior normal or not ? Must we consider that we are in a phase of transition about nova default policies ?
Yes, we still support the old policy where project member are allowed to create servers. But even with the new default also, project member is allowed and they can create the server. That is expected behavior. Where other defaults which added more restriction and moving from project member to admin or system admin/reader role, you can still use the old token to perform those operation as old default are still supported until we completly move to new defaults. But you can disable the old policy enforcement via config option 'enforce_new_defaults' and enforce the scope check via 'enforce_scope' in nova conf like below: [oslo_policy] enforce_scope = True enforce_new_defaults = true [1] https://github.com/openstack/nova/blob/97e1a6bece29e383f55bb969c69983153df9f... -gmann
Thanks, Jean-Francois
-----Original Message----- From: Ghanshyam Mann <gmann@ghanshyammann.com> Sent: mercredi, 28 juillet 2021 18:54 To: Taltavull Jean-Francois <jean-francois.taltavull@elca.ch> Cc: openstack-discuss@lists.openstack.org Subject: Re: [nova][wallaby] Nova policy rule project_member_api not effective
EXTERNAL MESSAGE - This email comes from outside ELCA companies.
---- On Wed, 28 Jul 2021 10:12:33 -0500 Taltavull Jean-Francois <jean- francois.taltavull@elca.ch> wrote ---- > Hi All, > > Despite the fact that oslopolicy-policy-generator --namespace nova shows the rules "project_member_api": "role:member and project_id:%(project_id)s" and "os_compute_api:servers:create": "rule:project_member_api", it is still possible to create a server even if you only have the role "member" on the project.
Is this behavior normal or not ? Must we consider that we are in a phase of
transition about nova default policies ?
Yes, we still support the old policy where project member are allowed to create servers. But even with the new default also, project member is allowed and they can create the server. That is expected behavior.
Where other defaults which added more restriction and moving from project member to admin or system admin/reader role, you can still use the old token to perform those operation as old default are still supported until we completly move to new defaults. But you can disable the old policy enforcement via config option 'enforce_new_defaults' and enforce the scope check via 'enforce_scope' in nova conf like below:
[oslo_policy] enforce_scope = True enforce_new_defaults = true
[1] https://github.com/openstack/nova/blob/97e1a6bece29e383f55bb969c699831 53df9ffc7/nova/policies/servers.py#L168
-gmann
I added and applied these two nova parameters but now "server create" fails on network attachment and some admin actions, like "hypervisor list", fail in 403. -JF
---- On Fri, 30 Jul 2021 02:59:22 -0500 Taltavull Jean-Francois <jean-francois.taltavull@elca.ch> wrote ----
-----Original Message----- From: Ghanshyam Mann <gmann@ghanshyammann.com> Sent: mercredi, 28 juillet 2021 18:54 To: Taltavull Jean-Francois <jean-francois.taltavull@elca.ch> Cc: openstack-discuss@lists.openstack.org Subject: Re: [nova][wallaby] Nova policy rule project_member_api not effective
EXTERNAL MESSAGE - This email comes from outside ELCA companies.
---- On Wed, 28 Jul 2021 10:12:33 -0500 Taltavull Jean-Francois <jean- francois.taltavull@elca.ch> wrote ---- > Hi All, > > Despite the fact that oslopolicy-policy-generator --namespace nova shows the rules "project_member_api": "role:member and project_id:%(project_id)s" and "os_compute_api:servers:create": "rule:project_member_api", it is still possible to create a server even if you only have the role "member" on the project.
Is this behavior normal or not ? Must we consider that we are in a phase of
transition about nova default policies ?
Yes, we still support the old policy where project member are allowed to create servers. But even with the new default also, project member is allowed and they can create the server. That is expected behavior.
Where other defaults which added more restriction and moving from project member to admin or system admin/reader role, you can still use the old token to perform those operation as old default are still supported until we completly move to new defaults. But you can disable the old policy enforcement via config option 'enforce_new_defaults' and enforce the scope check via 'enforce_scope' in nova conf like below:
[oslo_policy] enforce_scope = True enforce_new_defaults = true
[1] https://github.com/openstack/nova/blob/97e1a6bece29e383f55bb969c699831 53df9ffc7/nova/policies/servers.py#L168
-gmann
I added and applied these two nova parameters but now "server create" fails on network attachment and some admin actions, like "hypervisor list", fail in 403.
are you attaching external network? if so then you need project admin role[1] to create server on external network attachment. For hypervisor list API any many other needs new system role now. By setting these two flag true, you need to start using the 'system' scoped token and system reader or admin will be able to list hypervisor. You can find all the new defaults in this doc and use the token permission accordingly - https://docs.openstack.org/nova/latest/configuration/policy.html [1] https://github.com/openstack/nova/blob/5ddaf36f3bec6910c59e3ec59d83b4e3a8d3d... -gmann
-JF
participants (2)
-
Ghanshyam Mann
-
Taltavull Jean-Francois