[Openstack] [nova-network] add-network-to-project

Ajiva Fan aji.zqfan at gmail.com
Fri Mar 29 09:21:48 UTC 2013


thanks for the "admin" clarify : )

here is more information about other extensions avoid the problem:
i read the policy.json file, find some other extension meet the same
problem and watch how they impl
for example. the quota api just shows like this

GET v2/{tenant_id}/os-quota-sets/{tenant_id} Show quotas for tenant
POST v2/{tenant_id}/os-quota-sets/{tenant_id} Update quotas for tenant.

so the quota meet the same problem and just add the target tenant id to the
url,
and its update function takes the id from the result of routes.mapper point
to the secondary tenant_id

since some extension even don't care which tenant is operate on,
they just need to know if the token in the header is a admin token, for
example:

"compute_extension:server_diagnostics": [["rule:admin_api"]]

GET v2/{tenant_id}/servers/{server_id}/diagnostics Retrieves basic usage
data for a given server.
from the source code, it doesn't check the tenant id at all. it just invoke
authorize(context) to check if it is admin.

But i do know for some case tenant_id is necessary for policy/security
check or as a param
and for the consistency, the extension should act the same way.
and since the APIRouter use ProjectMapper as the mapper and routes the
request,
so it seems the redundent tenant_id cannot be avoid.


On Thu, Mar 28, 2013 at 11:12 PM, Vishvananda Ishaya
<vishvananda at gmail.com>wrote:

> I just looked at the code and it appears this is not possible through the
> os_networks extension. This appears to be an oversight. It should probably
> allow a project to be passed in.
>
> Bug report here: https://bugs.launchpad.net/nova/+bug/1161441
>
> That said, the first time a user boots an instance, he automatically gets
> assigned a network, so in many cases it isn't needed.
>
> Another option would be to modify the code you mentioned to allow a
> workaround:
>
> if (context and not context.is_admin and project_id and (project_id !=
> context.project_id)):
>
> Vish
>
> On Mar 28, 2013, at 1:46 AM, Ajiva Fan <aji.zqfan at gmail.com> wrote:
>
> hello everyone:
>
> i have a very simple question which confuses me for a long time:
> how should i add a network to a project via rest api?
>
> 1) i'm admin of the whole cloud env essex, (i think the folsom is same in
> this case)
> 2) using nova-network:vlan (if using flatdhcp, the associate action is
> meanless)
> 3) a user project "user-project" is created, and the admin:admin is not
> that project's admin (and even not a member of it)
> 4) a network "user-network" is created, but not associated with
> "user-project"
> 5) how to associate the "user-network" with "user-project" ?
>
> i know i can use "nova-manage" via nova-client in the control node,
> but what i need to know is how to do this operation via rest api, like
> curl or in horizon?
>
> the rest api is: http://api.openstack.org/api-ref.html
> POST
> v2/{tenant_id}/os-networks/add
> with a body identifier the network's id
>
> the problem is that, even i have admin:admin token, i *cannot* associate
> the "user-network" with "user-project",
> because from the source code of folsom(and essex) nova, in the
> nova.api.openstack.wsgi.py of line 931, i find this:
>
>         project_id = action_args.pop("project_id", None)
>         context = request.environ.get('nova.context')
>         if (context and project_id and (project_id != context.project_id
> )):
>             msg = _("Malformed request url")
>             return Fault(webob.exc.HTTPBadRequest(explanation=msg))
>
> since nova.context.project_id is the project admin_id, and the project_id
> is extract from the url,
> so the webob.exc is returned.
>
> please help me, i read a lot, (both document and source code, i just
> cannot understand or just miss something important)
> but still don't know how to do it.
>
> ps: i have sent a mail to openstack-dev on mar 8, but no one reply me. is
> my question nonsense?
> Note this mail is not the exactly same as previous one since i've more
> knowledge of it but the main problem is same
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130329/61fcfc25/attachment.html>


More information about the Openstack mailing list