yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80637
[Bug 1850280] Re: rejecting move operations with qos ports does not work if the operation is called with non admin user
Reviewed: https://review.opendev.org/691900
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=899976960503524b8e5c6588e339742ca4bf8158
Submitter: Zuul
Branch: master
commit 899976960503524b8e5c6588e339742ca4bf8158
Author: Balazs Gibizer <balazs.gibizer@xxxxxxxx>
Date: Tue Oct 29 16:43:04 2019 +0100
Use admin neutron client to see if instance has qos ports
The nova-api checks at each move* operation if the instance has qos port
attached as not all the move operations are supported for such servers.
Nova uses the request context to initialize the neutron client for the
port query. However neutron does not return the value of the
resource_request of the port if it is queried with a non admin client.
This causes that if the move operation is initiated by a non admin
then nova thinks that the ports do not have resource request.
This patch creates an admin context for this neutron query.
The new functional tests are not added before this patch in a regression
test like way as existing functional tests are reused with different
setup and doing that without the fix causes a lot of different failure
scenarios.
Note that neutron fixture is changed to simulate the different behavior
in case of different request context are used to initialize the client.
*: Note that Id5f2f4f22b856c989e2eef8ed56b9829d1bcefb6 removed the check
for evacuate in Ussuri but exists in Train and Stein.
Change-Id: I3cf6eb4654663865d9258c38f05cd05974ffcf9d
Closes-Bug: #1850280
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1850280
Title:
rejecting move operations with qos ports does not work if the
operation is called with non admin user
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) stein series:
Triaged
Status in OpenStack Compute (nova) train series:
Triaged
Bug description:
At the start of the move operation the nova-api checks that the server
has ports with resource request as some of the move operations are not
supported for such servers yet. Unfortunately if move the operation is
called by a non-admin user (either it is a resize, or another move
operation with explicit policy change) then nova uses the non-admin
token to query neutron. If the neutron port is queried with a non
admin token then neutron does not return the resource_request to nova
in the port response. Therefore nova thinks that the port ha no
resource request and allows the operation.
Reproduce in Ussuri
===================
* Boot a server with qos port.
* Change the nova policy to allow evacuate to be called by the owner of the server "os_compute_api:os-evacuate": "rule:admin_or_owner"
* stop the nova-compute service on the host where the server currently running and wait until the controller decides that the compute is done
* with the non-admin owner initiate the evacuate of the server
Expected:
* evacuate rejected
Actual:
* evacuate accepted (and later fail due to missing implementation)
Triage
======
Due to [1] not using an admin client nova does not get the resource
requests of the attached ports.
Affected versions and operations
================================
The resize, migrate, live migrate, evacuate, unshelve opertaions are affected on master, Train, Stein.
[1]
https://github.com/openstack/nova/blob/9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626/nova/api/openstack/common.py#L576
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1850280/+subscriptions
References
