yahoo-eng-team team mailing list archive

[Christopher Yeoh <cyeoh@xxxxxxxxxxx>]

This is getting handled as part of the process of bubbling up all of the
policy checks to the API level - although targetted for the V3 API it
will also affect the V2 API.

https://blueprints.launchpad.net/nova/+spec/v3-api-policy

So I'm closing this bug as it will be tracked through the blueprint
instead.

** Changed in: nova
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1168488

Title:
  host-list policy irrelevant

Status in OpenStack Compute (Nova):
  Won't Fix

Bug description:
  There are some compute REST APIs where the policy setting is
  irrelevant because they require admin. host-list is an example.

  To recreate, start with devstack, set up so that you're running as
  demo user.

   $ export OS_USERNAME=demo
   $ export OS_PASSWORD=mypwd
   $ export OS_TENANT_NAME=demo
   $ export OS_AUTH_URL=http://localhost:5000/v2.0
   $ export OS_NO_CACHE=1

   # First try with the default policy:
   $ grep compute_extension:hosts /etc/nova/policy.json
      "compute_extension:hosts": "rule:admin_api",
   $ nova host-list
  ERROR: Policy doesn't allow compute_extension:hosts to be performed. (HTTP 403) (Request-ID: req-b2b9408c-4498-4994-aee7-100cf6acf571)

   # Change policy so that anyone can view hosts:
   $ grep compute_extension:hosts /etc/nova/policy.json
      "compute_extension:hosts": "",
   $ nova host-list
   ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-48983c2e-784c-4bb5-82ac-6116a67f6fe1)

  It was expected that since I configured the policy so that anyone
  could view hosts that a non-admin user could list hosts.

  Nova should respect the policy that the admin configured and not force
  its own.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1168488/+subscriptions