← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #62591

[Bug 1675486] [NEW] network:attach_external_network policy check outside nova-api

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The "network:attach_external_network" policy is being checked in nova-
compute rather than in nova-api.

1) Only the api process should be doing policy checks.
2) Someone who wants to override policy for this would have to put a policy.json file on each host, which is certainly problematic.
3) There's talk of splitting nova-compute out of nova into its own project, which obviously shouldn't rely on nova's policy file.

This apparently came up on the mailing list [1] a while ago, but it
doesn't seem like anything has been done about it so far. Still this way
in master. See that mailing list thread for much more information and
talk of possible solutions.

johnthetubaguy also noted via irc [2] that the neutron refactor work is
heading in a direction that may fix this.

[1] https://openstack.nimeyo.com/87011/openstack-policy-check-network-attach_external_network
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2017-03-23.log.html#t2017-03-23T16:24:39

** Affects: nova
     Importance: Low
         Status: Confirmed


** Tags: network policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1675486

Title:
  network:attach_external_network policy check outside nova-api

Status in OpenStack Compute (nova):
  Confirmed

Bug description:
  The "network:attach_external_network" policy is being checked in nova-
  compute rather than in nova-api.

  1) Only the api process should be doing policy checks.
  2) Someone who wants to override policy for this would have to put a policy.json file on each host, which is certainly problematic.
  3) There's talk of splitting nova-compute out of nova into its own project, which obviously shouldn't rely on nova's policy file.

  This apparently came up on the mailing list [1] a while ago, but it
  doesn't seem like anything has been done about it so far. Still this
  way in master. See that mailing list thread for much more information
  and talk of possible solutions.

  johnthetubaguy also noted via irc [2] that the neutron refactor work
  is heading in a direction that may fix this.

  [1] https://openstack.nimeyo.com/87011/openstack-policy-check-network-attach_external_network
  [2] http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2017-03-23.log.html#t2017-03-23T16:24:39

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1675486/+subscriptions
  Thread PreviousDate PreviousThread Next