yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1607602] [NEW] policy.json ignored for most instance actions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sam Morrison <1607602@xxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Jul 2016 04:08:23 -0000
Reply-to: Bug 1607602 <1607602@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I'm trying to allow a certain role to do certain things to any projects
instances through policy.json and it isn't working as expected.

I've set the following policies to allow my role to do a "nova show" but
with no luck, the same is with any other instance action like start,
reboot etc.


"compute:get": "rule:default_or_monitoring",
"compute:get_all": "rule:default_or_monitoring",
"compute:get_all_tenants": "rule:admin_or_monitoring",
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_or_monitoring",
"os_compute_api:servers:index:get_all_tenants": "rule:admin_or_monitoring",
"os_compute_api:servers:detail": "rule:default_or_monitoring",
"os_compute_api:servers:index": "rule:default_or_monitoring",
"os_compute_api:servers:show": "rule:default_or_monitoring",

Upon looking in the code I see that in the DB layer the instance_get
function is hard coded to filter by project if the context isn't admin
see: HEAD (as of writing)

https://github.com/openstack/nova/blob/d0905df10a48212950c0854597a2df923e6ddd0c/nova/db/sqlalchemy/api.py#L1885

If I remove this project=True flag then everything works as expected.

Nova api otherwise just returns a 404

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1607602

Title:
  policy.json ignored for most instance actions

Status in OpenStack Compute (nova):
  New

Bug description:
  I'm trying to allow a certain role to do certain things to any
  projects instances through policy.json and it isn't working as
  expected.

  I've set the following policies to allow my role to do a "nova show"
  but with no luck, the same is with any other instance action like
  start, reboot etc.

  
  "compute:get": "rule:default_or_monitoring",
  "compute:get_all": "rule:default_or_monitoring",
  "compute:get_all_tenants": "rule:admin_or_monitoring",
  "os_compute_api:servers:detail:get_all_tenants": "rule:admin_or_monitoring",
  "os_compute_api:servers:index:get_all_tenants": "rule:admin_or_monitoring",
  "os_compute_api:servers:detail": "rule:default_or_monitoring",
  "os_compute_api:servers:index": "rule:default_or_monitoring",
  "os_compute_api:servers:show": "rule:default_or_monitoring",

  Upon looking in the code I see that in the DB layer the instance_get
  function is hard coded to filter by project if the context isn't admin
  see: HEAD (as of writing)

  https://github.com/openstack/nova/blob/d0905df10a48212950c0854597a2df923e6ddd0c/nova/db/sqlalchemy/api.py#L1885

  If I remove this project=True flag then everything works as expected.

  Nova api otherwise just returns a 404

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1607602/+subscriptions