yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1850280] [NEW] rejecting move operations with qos ports does not work if the operation is called with non admin user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Balazs Gibizer <balazs.gibizer@xxxxxxxx>
Date: Tue, 29 Oct 2019 10:00:57 -0000
Reply-to: Bug 1850280 <1850280@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

At the start of the move operation the nova-api checks that the server
has ports with resource request as some of the move operations are not
supported for such servers yet. Unfortunately if move the operation is
called by a non-admin user (either it is a resize, or another move
operation with explicit policy change) then nova uses the non-admin
token to query neutron. If the neutron port is queried with a non admin
token then neutron does not return the resource_request to nova in the
port response. Therefore nova thinks that the port ha no resource
request and allows the operation.

Reproduce in Ussuri
===================

* Boot a server with qos port.
* Change the nova policy to allow evacuate to be called by the owner of the server "os_compute_api:os-evacuate": "rule:admin_or_owner"
* stop the nova-compute service on the host where the server currently running and wait until the controller decides that the compute is done
* with the non-admin owner initiate the evacuate of the server

Expected:
* evacuate rejected

Actual:
* evacuate accepted (and later fail due to missing implementation)

Triage
======

Due to [1] not using an admin client nova does not get the resource
requests of the attached ports.


Affected versions and operations
================================

* Ussuri: evacute, live migrate, unshelve
* Train: evacuate, live migrate, unshelve (resize and cold migrate is supported so the faulty check is not there any more)
* Stein: resize, migrate, evacuate, live migrate, unshelve
* Rocky or older: Not applicable as booting server with qos ports is implemented in Stein.


[1] https://github.com/openstack/nova/blob/9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626/nova/api/openstack/common.py#L576

** Affects: nova
     Importance: Medium
     Assignee: Balazs Gibizer (balazs-gibizer)
         Status: Triaged


** Tags: neutron

** Changed in: nova
     Assignee: (unassigned) => Balazs Gibizer (balazs-gibizer)

** Changed in: nova
       Status: New => Triaged

** Changed in: nova
   Importance: Undecided => Medium

** Tags added: neutron

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1850280

Title:
  rejecting move operations with qos ports does not work if the
  operation is called with non admin user

Status in OpenStack Compute (nova):
  Triaged

Bug description:
  At the start of the move operation the nova-api checks that the server
  has ports with resource request as some of the move operations are not
  supported for such servers yet. Unfortunately if move the operation is
  called by a non-admin user (either it is a resize, or another move
  operation with explicit policy change) then nova uses the non-admin
  token to query neutron. If the neutron port is queried with a non
  admin token then neutron does not return the resource_request to nova
  in the port response. Therefore nova thinks that the port ha no
  resource request and allows the operation.

  Reproduce in Ussuri
  ===================

  * Boot a server with qos port.
  * Change the nova policy to allow evacuate to be called by the owner of the server "os_compute_api:os-evacuate": "rule:admin_or_owner"
  * stop the nova-compute service on the host where the server currently running and wait until the controller decides that the compute is done
  * with the non-admin owner initiate the evacuate of the server

  Expected:
  * evacuate rejected

  Actual:
  * evacuate accepted (and later fail due to missing implementation)

  Triage
  ======

  Due to [1] not using an admin client nova does not get the resource
  requests of the attached ports.

  
  Affected versions and operations
  ================================

  * Ussuri: evacute, live migrate, unshelve
  * Train: evacuate, live migrate, unshelve (resize and cold migrate is supported so the faulty check is not there any more)
  * Stein: resize, migrate, evacuate, live migrate, unshelve
  * Rocky or older: Not applicable as booting server with qos ports is implemented in Stein.

  
  [1] https://github.com/openstack/nova/blob/9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626/nova/api/openstack/common.py#L576

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1850280/+subscriptions

Follow ups

[Bug 1850280] Re: rejecting move operations with qos ports does not work if the operation is called with non admin user
From: OpenStack Infra, 2019-11-08
[Bug 1850280] Re: rejecting move operations with qos ports does not work if the operation is called with non admin user
From: Matt Riedemann, 2019-11-06