yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1772759] Re: Horizon checks wrong policy rule for attach_volume

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1772759@xxxxxxxxxxxxxxxxxx>
Date: Wed, 23 May 2018 05:06:49 -0000
Reply-to: Bug 1772759 <1772759@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/570071
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=8e3903902d3eb6d6faca4fe2f01b1a8603d37d52
Submitter: Zuul
Branch:    master

commit 8e3903902d3eb6d6faca4fe2f01b1a8603d37d52
Author: jmoffitt <jeremy.moffitt@xxxxxxxx>
Date:   Tue May 22 15:12:38 2018 -0700

    Fix mismatched attach_volume rule
    
    The attach_volume rule on the Compute Instances and Volume pages
    does not match the rule in the nova_policy.json file, or what is
    generated from an oslo policy generation on Nova. Update the rule
    to match what is used in the default policy file, and what Nova
    uses in its unit tests.
    
    While looking at this, discovered that the detach_volume has a
    similar problem, with no rule that matches at all. It may make sense
    to have detach volume use similar permissions to attach
    
    Change-Id: I40c709c7bb0c8538b56624dbfff1faea2eba9ee6
    Closes-bug: 1772759


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1772759

Title:
  Horizon checks wrong policy rule for attach_volume

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  The instances table in Horizon checks for policy rule
  "os_compute_api:servers:attach_volume" (see:
  https://git.openstack.org/cgit/openstack/horizon/tree/openstack_dashboard/dashboards/project/instances/tables.py#n895
  ), but this rule doesn't exist in the default policy file (
  https://git.openstack.org/cgit/openstack/horizon/tree/openstack_dashboard/conf/nova_policy.json?h=master
  ) or in Novas own source or tests.

  Instead, the rule "os_compute_api:servers:create:attach_volume" is
  used...

  In the policy file:
  https://git.openstack.org/cgit/openstack/horizon/tree/openstack_dashboard/conf/nova_policy.json?h=master#n138

  And in Novas unit tests:
  https://git.openstack.org/cgit/openstack/nova/tree/nova/tests/unit/api/openstack/compute/test_serversV21.py#n5414

  Generating a policy file from Nova using the oslo policy generator (
  https://docs.openstack.org/horizon/latest/contributor/topics/policy.html
  ) has the same results, the output file includes a rule of
  "os_compute_api:servers:create:attach_volume"  but *NOT* of
  "os_compute_api:servers:attach_volume" . The net result is that using
  the default policy file, or an unmodified generated policy file,
  results in the "attach volume" option missing from the Compute
  Instances menu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1772759/+subscriptions

References

[Bug 1772759] [NEW] Horizon checks wrong policy rule for attach_volume
From: Jeremy Moffitt, 2018-05-22