[nova][dev][ops] can we get rid of 'project_only' in the DB layer?
melanie witt
melwittt at gmail.com
Thu Feb 14 17:19:03 UTC 2019
Hey all,
Recently, we had a customer try the following command as a non-admin
with a policy role granted in policy.json to allow live migrate:
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api or
role:Operator"
The scenario is that they have a server in project A and a user in
project B with role:Operator and the user makes a call to live migrate
the server.
But when they call the API, they get the following error response:
{"itemNotFound": {"message": "Instance <uuid server 1> could not be
found.", "code": 404}}
A superficial look through the code shows that the live migrate should
work, because we have appropriate policy checks in the API, and the
request makes it past those checks because the policy.json has been set
correctly.
A common pattern in our APIs is that we first compute_api.get() the
instance object and then we call the server action (live migrate, stop,
start, etc) with it after we retrieve it. In this scenario, the
compute_api.get() fails with NotFound.
And the reason it fails with NotFound is because, much lower level, at
the DB layer, we have a keyword arg called 'project_only' which, when
True, will scope a database query to the RequestContext.project_id only.
We have hard-coded 'project_only=True' for the instance get query.
So, when the user in project B with role:Operator tries to retrieve the
instance record in project A, with appropriate policy rules set, it will
fail because 'project_only=True' and the request context is project B,
while the instance is in project A.
My question is: can we get rid of the hard-coded 'project_only=True' at
the database layer? This seems like something that should be enforced at
the API layer and not at the database layer. It reminded me of an effort
we had a few years ago where we removed other hard-coded policy
enforcement from the database layer [1][2]. I've uploaded a WIP patch to
demonstrate the proposed change [3].
Can anyone think of any potential problems with doing this? I'd like to
be able to remove it so that operators are able use policy to allow
non-admin users with appropriately configured roles to run server actions.
Cheers,
-melanie
[1] https://blueprints.launchpad.net/nova/+spec/nova-api-policy-final-part
[2]
https://review.openstack.org/#/q/topic:bp/nova-api-policy-final-part+(status:open+OR+status:merged)
[3] https://review.openstack.org/637010
More information about the openstack-discuss
mailing list