[nova][ops] Problem with nova policies for resume operation
Sean Mooney
smooney at redhat.com
Mon Feb 7 17:23:21 UTC 2022
On Mon, 2022-02-07 at 18:06 +0100, Massimo Sgaravatto wrote:
> Thanks
>
> Actually in the past support for user_id in the resume operation worked as
> expected
> E.g. I have a train installation where I defined this rule in the
> policy.json file:
>
> "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
> user_id:%(user_id)s",
>
> and it works
resume has a seperate policy
https://github.com/openstack/nova/blob/master/nova/policies/suspend_server.py#L25-L35
so you would likely have to update both.
os_compute_api:os-suspend-server:suspend only covers suppend
os_compute_api:os-suspend-server:resume applies to resume.
this was also the case in train by the way.
technially upstream does not "support" custom policy in that if you use custom policy and a feature is missing
like passing user_id to a specifc policy check its not a bug this a feature request.
however you can make the consitency arguemnt that takashi has made in https://bugs.launchpad.net/nova/+bug/1960247 to
position it as a bug.
technially the set of varible that are aviale however are not defined as part of the api so you should not assume user_id
is always avaiable.
usering custom policy shoudl also be done sparingly. for a private cloud this
is fine but it woudl be an interoperablity issue to do this in a public cloud.
server are own by projects not users so we woudl expect anyone in the porjec to be able to suspend or resume it in
a could by default.
you obviously have other requirements which is fine and why we support custom policy but this is really a feature request.
its a trivial one for the most part and we may consider trating this as a bug but i think we would have to dicuss this at
the nova team meeting before agreeing to trat this as a backportable bugfix rather then a new feature.
i have triaged the bug as whishlist for now.
>
> Cheers, Massimo
>
>
>
> On Mon, Feb 7, 2022 at 5:03 PM Takashi Kajinami <tkajinam at redhat.com> wrote:
>
> > Quickly checking the current code, it seems support for user_id was
> > introduced to only suspend api[1]
> > [1] https://review.opendev.org/c/openstack/nova/+/353344
> >
> > I've opened a bug for nova[2] because supporting consistent rules for
> > suspend and resume
> > makes clear sense to me.
> > [2] https://bugs.launchpad.net/nova/+bug/1960247
> >
> >
> > On Tue, Feb 8, 2022 at 12:25 AM Massimo Sgaravatto <
> > massimo.sgaravatto at gmail.com> wrote:
> >
> > > Dear all
> > >
> > > I am running a Xena installation
> > >
> > > I have modified the nova policy fail so that certain operations can be
> > > done only by the user who created the instance, or by the administrator
> > > This [*] is my policy.yaml file.
> > > While the suspend operation works as intended (I can suspend only my
> > > instances and I am not allowed to suspend an instance created by another
> > > user) I am not able to resume an instance that I own and that I have
> > > previously suspended.
> > > I get this error:
> > >
> > > ERROR (Forbidden): Policy doesn't allow
> > > os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403)
> > > (Request-ID: req-c57458bc-b1ea-4b40-a1d2-0f67608ef673)
> > >
> > > Only removing the line:
> > >
> > > "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
> > > user_id:%(user_id)s"
> > >
> > > from the policy file, I am able to resume the instance.
> > >
> > > I am not able to understand what is wrong with that policy. Any hints ?
> > >
> > > Thanks, Massimo
> > >
> > >
> > > [*]
> > >
> > > # Pause a server
> > > # POST /servers/{server_id}/action (pause)
> > > # Intended scope(s): system, project
> > > "os_compute_api:os-pause-server:pause": "rule:admin_api or
> > > user_id:%(user_id)s"
> > >
> > > # Delete a server
> > > # DELETE /servers/{server_id}
> > > # Intended scope(s): system, project
> > > "os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"
> > >
> > > # Resize a server
> > > # POST /servers/{server_id}/action (resize)
> > > # Intended scope(s): system, project
> > > "os_compute_api:servers:resize": "rule:admin_api or user_id:%(user_id)s"
> > >
> > > # Rebuild a server
> > > # POST /servers/{server_id}/action (rebuild)
> > > # Intended scope(s): system, project
> > > "os_compute_api:servers:rebuild": "rule:admin_api or user_id:%(user_id)s"
> > >
> > > # Stop a server
> > > # POST /servers/{server_id}/action (os-stop)
> > > # Intended scope(s): system, project
> > > "os_compute_api:servers:stop": "rule:admin_api or user_id:%(user_id)s"
> > >
> > > # Resume suspended server
> > > # POST /servers/{server_id}/action (resume)
> > > # Intended scope(s): system, project
> > > "os_compute_api:os-suspend-server:resume": "rule:admin_api or
> > > user_id:%(user_id)s"
> > >
> > > # Suspend server
> > > # POST /servers/{server_id}/action (suspend)
> > > # Intended scope(s): system, project
> > > "os_compute_api:os-suspend-server:suspend": "rule:admin_api or
> > > user_id:%(user_id)s"
> > >
> >
More information about the openstack-discuss
mailing list