[nova] Admin user cannot create vm with user's port?
Hi Nova team, In Nova, even the admin user cannot specify user's port to create a vm, is that designed intentionally or sounds like a bug? Best regards, Lingxian Kong Catalyst Cloud
---- On Thu, 13 Jun 2019 12:32:21 +0900 Lingxian Kong <anlin.kong@gmail.com> wrote ----
Hi Nova team, In Nova, even the admin user cannot specify user's port to create a vm, is that designed intentionally or sounds like a bug?
You can specify that in networks object( networks.port field) [1]. This takes port_id of the existing port. [1] https://developer.openstack.org/api-ref/compute/?expanded=create-server-deta... - https://opendev.org/openstack/nova/src/commit/52d8d3d7f65bed99c25f39e7e38f56... -gmann
Best regards, Lingxian KongCatalyst Cloud
Yeah, the api allows to specify port. What i mean is, the vm creation will fail for admin user if port belongs to a non-admin user. An exception is raised from nova-compute. 在 2019年6月13日星期四,Ghanshyam Mann <gmann@ghanshyammann.com> 写道:
---- On Thu, 13 Jun 2019 12:32:21 +0900 Lingxian Kong < anlin.kong@gmail.com> wrote ----
Hi Nova team, In Nova, even the admin user cannot specify user's port to create a vm, is that designed intentionally or sounds like a bug?
You can specify that in networks object( networks.port field) [1]. This takes port_id of the existing port.
[1] https://developer.openstack.org/api-ref/compute/?expanded= create-server-detail - https://opendev.org/openstack/nova/src/commit/ 52d8d3d7f65bed99c25f39e7e38f566346586009/nova/api/openstack/ compute/schemas/servers.py
-gmann
Best regards, Lingxian KongCatalyst Cloud
-- Best regards, Lingxian Kong Catalyst Cloud
On Thu, 2019-06-13 at 21:22 +1200, Lingxian Kong wrote:
Yeah, the api allows to specify port. What i mean is, the vm creation will fail for admin user if port belongs to a non-admin user. An exception is raised from nova-compute.
i believe this is intentional. we do not currently allow you to trasfer ownerwhip of a vm form one user or proejct to another. but i also believe we currently do not allow a vm to be create from resouces with different owners it would cause issue with quota if we did. in this case the port would belong to the non admin and is currently being consumed from there quota. it woudld then be used by a vm created by the admin user which could result in the admin user being over there quota without use knowing. e.g. it would allow them to "steal" qutoa form the other project/user by using there resoucse. where it get tricky is if that first user hits there quota for ports and wants to delete it. shoulw we allow them too? the own the port after all but if delete the port it would break the admins vm. mixing ownership in a singel vm is pretty messy so we dont allow that. its possible it is a bug but i would be highly surprised if we ever intentionally supported this. the only multi teanant share resoucse im aware of are neutron shared netwrok which have ports owned by the indivitual users not the owner of the shared netwrok and manial shares which be shared between multiple project. in both cases we are not adding the shared resouse directly to the vm and i dont know of a case that does work today that would suggest a port should work.
在 2019年6月13日星期四,Ghanshyam Mann <gmann@ghanshyammann.com> 写道:
---- On Thu, 13 Jun 2019 12:32:21 +0900 Lingxian Kong < anlin.kong@gmail.com> wrote ----
Hi Nova team, In Nova, even the admin user cannot specify user's port to create a vm, is that designed intentionally or sounds like a bug?
You can specify that in networks object( networks.port field) [1]. This takes port_id of the existing port.
[1] https://developer.openstack.org/api-ref/compute/?expanded= create-server-detail - https://opendev.org/openstack/nova/src/commit/ 52d8d3d7f65bed99c25f39e7e38f566346586009/nova/api/openstack/ compute/schemas/servers.py
-gmann
Best regards, Lingxian KongCatalyst Cloud
On Thu, Jun 13, 2019 at 10:48 PM Sean Mooney <smooney@redhat.com> wrote:
On Thu, 2019-06-13 at 21:22 +1200, Lingxian Kong wrote:
Yeah, the api allows to specify port. What i mean is, the vm creation will fail for admin user if port belongs to a non-admin user. An exception is raised from nova-compute.
i believe this is intentional.
we do not currently allow you to trasfer ownerwhip of a vm form one user or proejct to another. but i also believe we currently do not allow a vm to be create from resouces with different owners
That's not true. As the admin user, you are allowed to create a vm using non-admin's network, security group, image, volume, etc but just not port. There is use case for admin user to create vms but using non-admin's resources for debugging or other purposes. What's more, the exception is raised in nova-compute not nova-api, which i assume it should be supported if it's allowed in the api layer. Best regards, Lingxian Kong Catalyst Cloud
Another use case is coming from the services (e.g. Trove) which will create vms in the service tenant but using the resources (e.g. network or port) given by the non-admin user. Best regards, Lingxian Kong Catalyst Cloud On Fri, Jun 14, 2019 at 10:55 AM Lingxian Kong <anlin.kong@gmail.com> wrote:
On Thu, Jun 13, 2019 at 10:48 PM Sean Mooney <smooney@redhat.com> wrote:
On Thu, 2019-06-13 at 21:22 +1200, Lingxian Kong wrote:
Yeah, the api allows to specify port. What i mean is, the vm creation will fail for admin user if port belongs to a non-admin user. An exception is raised from nova-compute.
i believe this is intentional.
we do not currently allow you to trasfer ownerwhip of a vm form one user or proejct to another. but i also believe we currently do not allow a vm to be create from resouces with different owners
That's not true. As the admin user, you are allowed to create a vm using non-admin's network, security group, image, volume, etc but just not port.
There is use case for admin user to create vms but using non-admin's resources for debugging or other purposes.
What's more, the exception is raised in nova-compute not nova-api, which i assume it should be supported if it's allowed in the api layer.
Best regards, Lingxian Kong Catalyst Cloud
Please could anyone else from nova team know the reason? Best regards, Lingxian Kong Catalyst Cloud On Fri, Jun 14, 2019 at 10:57 AM Lingxian Kong <anlin.kong@gmail.com> wrote:
Another use case is coming from the services (e.g. Trove) which will create vms in the service tenant but using the resources (e.g. network or port) given by the non-admin user.
Best regards, Lingxian Kong Catalyst Cloud
On Fri, Jun 14, 2019 at 10:55 AM Lingxian Kong <anlin.kong@gmail.com> wrote:
On Thu, Jun 13, 2019 at 10:48 PM Sean Mooney <smooney@redhat.com> wrote:
On Thu, 2019-06-13 at 21:22 +1200, Lingxian Kong wrote:
Yeah, the api allows to specify port. What i mean is, the vm creation will fail for admin user if port belongs to a non-admin user. An exception is raised from nova-compute.
i believe this is intentional.
we do not currently allow you to trasfer ownerwhip of a vm form one user or proejct to another. but i also believe we currently do not allow a vm to be create from resouces with different owners
That's not true. As the admin user, you are allowed to create a vm using non-admin's network, security group, image, volume, etc but just not port.
There is use case for admin user to create vms but using non-admin's resources for debugging or other purposes.
What's more, the exception is raised in nova-compute not nova-api, which i assume it should be supported if it's allowed in the api layer.
Best regards, Lingxian Kong Catalyst Cloud
participants (3)
-
Ghanshyam Mann
-
Lingxian Kong
-
Sean Mooney