[nova][ops] Problem with nova policies for resume operation
Massimo Sgaravatto
massimo.sgaravatto at gmail.com
Mon Feb 7 17:06:06 UTC 2022
Thanks
Actually in the past support for user_id in the resume operation worked as
expected
E.g. I have a train installation where I defined this rule in the
policy.json file:
"os_compute_api:os-suspend-server:suspend": "rule:admin_api or
user_id:%(user_id)s",
and it works
Cheers, Massimo
On Mon, Feb 7, 2022 at 5:03 PM Takashi Kajinami <tkajinam at redhat.com> wrote:
> Quickly checking the current code, it seems support for user_id was
> introduced to only suspend api[1]
> [1] https://review.opendev.org/c/openstack/nova/+/353344
>
> I've opened a bug for nova[2] because supporting consistent rules for
> suspend and resume
> makes clear sense to me.
> [2] https://bugs.launchpad.net/nova/+bug/1960247
>
>
> On Tue, Feb 8, 2022 at 12:25 AM Massimo Sgaravatto <
> massimo.sgaravatto at gmail.com> wrote:
>
>> Dear all
>>
>> I am running a Xena installation
>>
>> I have modified the nova policy fail so that certain operations can be
>> done only by the user who created the instance, or by the administrator
>> This [*] is my policy.yaml file.
>> While the suspend operation works as intended (I can suspend only my
>> instances and I am not allowed to suspend an instance created by another
>> user) I am not able to resume an instance that I own and that I have
>> previously suspended.
>> I get this error:
>>
>> ERROR (Forbidden): Policy doesn't allow
>> os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403)
>> (Request-ID: req-c57458bc-b1ea-4b40-a1d2-0f67608ef673)
>>
>> Only removing the line:
>>
>> "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
>> user_id:%(user_id)s"
>>
>> from the policy file, I am able to resume the instance.
>>
>> I am not able to understand what is wrong with that policy. Any hints ?
>>
>> Thanks, Massimo
>>
>>
>> [*]
>>
>> # Pause a server
>> # POST /servers/{server_id}/action (pause)
>> # Intended scope(s): system, project
>> "os_compute_api:os-pause-server:pause": "rule:admin_api or
>> user_id:%(user_id)s"
>>
>> # Delete a server
>> # DELETE /servers/{server_id}
>> # Intended scope(s): system, project
>> "os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"
>>
>> # Resize a server
>> # POST /servers/{server_id}/action (resize)
>> # Intended scope(s): system, project
>> "os_compute_api:servers:resize": "rule:admin_api or user_id:%(user_id)s"
>>
>> # Rebuild a server
>> # POST /servers/{server_id}/action (rebuild)
>> # Intended scope(s): system, project
>> "os_compute_api:servers:rebuild": "rule:admin_api or user_id:%(user_id)s"
>>
>> # Stop a server
>> # POST /servers/{server_id}/action (os-stop)
>> # Intended scope(s): system, project
>> "os_compute_api:servers:stop": "rule:admin_api or user_id:%(user_id)s"
>>
>> # Resume suspended server
>> # POST /servers/{server_id}/action (resume)
>> # Intended scope(s): system, project
>> "os_compute_api:os-suspend-server:resume": "rule:admin_api or
>> user_id:%(user_id)s"
>>
>> # Suspend server
>> # POST /servers/{server_id}/action (suspend)
>> # Intended scope(s): system, project
>> "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
>> user_id:%(user_id)s"
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220207/d901503c/attachment-0001.htm>
More information about the openstack-discuss
mailing list