[nova] Admin user cannot create vm with user's port?
Sean Mooney
smooney at redhat.com
Thu Jun 13 10:48:32 UTC 2019
On Thu, 2019-06-13 at 21:22 +1200, Lingxian Kong wrote:
> Yeah, the api allows to specify port. What i mean is, the vm creation will
> fail for admin user if port belongs to a non-admin user. An exception is
> raised from nova-compute.
i believe this is intentional.
we do not currently allow you to trasfer ownerwhip of a vm form one user or proejct to another.
but i also believe we currently do not allow a vm to be create from resouces with different owners
it would cause issue with quota if we did.
in this case the port would belong to the non admin and is currently being consumed from there quota.
it woudld then be used by a vm created by the admin user which could result in the admin user being over there
quota without use knowing. e.g. it would allow them to "steal" qutoa form the other project/user by using there
resoucse. where it get tricky is if that first user hits there quota for ports and wants to delete it.
shoulw we allow them too? the own the port after all but if delete the port it would break the admins vm.
mixing ownership in a singel vm is pretty messy so we dont allow that.
its possible it is a bug but i would be highly surprised if we ever intentionally supported this.
the only multi teanant share resoucse im aware of are neutron shared netwrok which have ports owned
by the indivitual users not the owner of the shared netwrok and manial shares which be shared between multiple project.
in both cases we are not adding the shared resouse directly to the vm and i dont know of a case that does work today
that would suggest a port should work.
>
> 在 2019年6月13日星期四,Ghanshyam Mann <gmann at ghanshyammann.com> 写道:
>
> > ---- On Thu, 13 Jun 2019 12:32:21 +0900 Lingxian Kong <
> > anlin.kong at gmail.com> wrote ----
> > > Hi Nova team,
> > > In Nova, even the admin user cannot specify user's port to create a vm,
> > is that designed intentionally or sounds like a bug?
> >
> > You can specify that in networks object( networks.port field) [1]. This
> > takes port_id of the existing port.
> >
> > [1] https://developer.openstack.org/api-ref/compute/?expanded=
> > create-server-detail
> > - https://opendev.org/openstack/nova/src/commit/
> > 52d8d3d7f65bed99c25f39e7e38f566346586009/nova/api/openstack/
> > compute/schemas/servers.py
> >
> > -gmann
> >
> > >
> > > Best regards,
> > > Lingxian KongCatalyst Cloud
> >
> >
>
>
More information about the openstack-discuss
mailing list