[nova][wallaby] Nova policy rule project_member_api not effective
Ghanshyam Mann
gmann at ghanshyammann.com
Wed Jul 28 16:53:35 UTC 2021
---- On Wed, 28 Jul 2021 10:12:33 -0500 Taltavull Jean-Francois <jean-francois.taltavull at elca.ch> wrote ----
> Hi All,
>
> Despite the fact that oslopolicy-policy-generator --namespace nova shows the rules "project_member_api": "role:member and project_id:%(project_id)s" and "os_compute_api:servers:create": "rule:project_member_api", it is still possible to create a server even if you only have the role "member" on the project.
>
> Is this behavior normal or not ? Must we consider that we are in a phase of transition about nova default policies ?
Yes, we still support the old policy where project member are allowed to create servers. But even with the new default also, project
member is allowed and they can create the server. That is expected behavior.
Where other defaults which added more restriction and moving from project member to admin or system admin/reader role, you
can still use the old token to perform those operation as old default are still supported until we completly move to new defaults.
But you can disable the old policy enforcement via config option 'enforce_new_defaults' and enforce the scope check via
'enforce_scope' in nova conf like below:
[oslo_policy]
enforce_scope = True
enforce_new_defaults = true
[1] https://github.com/openstack/nova/blob/97e1a6bece29e383f55bb969c69983153df9ffc7/nova/policies/servers.py#L168
-gmann
>
> Thanks,
> Jean-Francois
>
>
>
More information about the openstack-discuss
mailing list