yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32201
[Bug 1447084] [NEW] view hypervisor details should be controlled by policy.json
Public bug reported:
When a user with non-admin permissions attempts to view the hypervisor
details (/v2/2f8728e1c3214d8bb59903ba654ed6c1/os-hypervisors/1) , we see
the following error :
2015-04-19 21:34:22.194 23179 ERROR nova.api.openstack.compute.contrib.hypervisors [req-5caab0db-31aa-4a24-9263-750af6555ef5 605c378ebded02d6a2deebe138c0ef9d6a0ddf39447297105dcc4eb18c7cc062 9b0d73e660af434481a0a9b6d6a3bab7 - - -] User does not have admin privileges
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors Traceback (most recent call last):
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/api/openstack/compute/contrib/hypervisors.py", line 147, in show
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors service = self.host_api.service_get_by_compute_host(context, hyp.host)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3451, in service_get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors return objects.Service.get_by_compute_host(context, host_name)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/objects/base.py", line 163, in wrapper
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors result = fn(cls, context, *args, **kwargs)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/objects/service.py", line 151, in get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors db_service = db.service_get_by_compute_host(context, host)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/db/api.py", line 139, in service_get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors use_slave=use_slave)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/db/sqlalchemy/api.py", line 214, in wrapper
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors nova.context.require_admin_context(args[0])
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/context.py", line 235, in require_admin_context
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors raise exception.AdminRequired()
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors AdminRequired: User does not have admin privileges
This is caused because the /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/api layer mandates that only an admin can perform this operation. This should not be the case. Instead the permissions should be controlled as per the rules defined in the nova policy.json. This used to work for non-admins till few days/weeks back
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1447084
Title:
view hypervisor details should be controlled by policy.json
Status in OpenStack Compute (Nova):
New
Bug description:
When a user with non-admin permissions attempts to view the hypervisor
details (/v2/2f8728e1c3214d8bb59903ba654ed6c1/os-hypervisors/1) , we
see the following error :
2015-04-19 21:34:22.194 23179 ERROR nova.api.openstack.compute.contrib.hypervisors [req-5caab0db-31aa-4a24-9263-750af6555ef5 605c378ebded02d6a2deebe138c0ef9d6a0ddf39447297105dcc4eb18c7cc062 9b0d73e660af434481a0a9b6d6a3bab7 - - -] User does not have admin privileges
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors Traceback (most recent call last):
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/api/openstack/compute/contrib/hypervisors.py", line 147, in show
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors service = self.host_api.service_get_by_compute_host(context, hyp.host)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3451, in service_get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors return objects.Service.get_by_compute_host(context, host_name)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/objects/base.py", line 163, in wrapper
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors result = fn(cls, context, *args, **kwargs)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/objects/service.py", line 151, in get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors db_service = db.service_get_by_compute_host(context, host)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/db/api.py", line 139, in service_get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors use_slave=use_slave)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/db/sqlalchemy/api.py", line 214, in wrapper
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors nova.context.require_admin_context(args[0])
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/context.py", line 235, in require_admin_context
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors raise exception.AdminRequired()
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors AdminRequired: User does not have admin privileges
This is caused because the /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/api layer mandates that only an admin can perform this operation. This should not be the case. Instead the permissions should be controlled as per the rules defined in the nova policy.json. This used to work for non-admins till few days/weeks back
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1447084/+subscriptions
Follow ups
References