yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1890019] Re: Cannot create vm with non admin account

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lin Shuicheng <1890019@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Aug 2020 05:16:40 -0000
Reply-to: Bug 1890019 <1890019@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
After further debug, I find the issue is already be fixed and tracked in below issue:
https://bugs.launchpad.net/nova/+bug/1869543

And my issue is due to the policy in openstack-helm is not updated, and lead to this issue.
So it should be fixed in openstack-helm.

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1890019

Title:
  Cannot create vm with non admin account

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  Description
  ===========
  After switch to U version openstack, VM cannot be created with non-admin account. It is due to non-admin user cannot retrieve compute node limits info, so no cpu/mem/storage is available, and vm cannot be created in horizon. available zone also cannot be retrieved with the similar code logic shared in below.
  Here is the original issue reported in StarlingX project:
  https://bugs.launchpad.net/starlingx/+bug/1887589

  Steps to reproduce
  ==================
  1. Create a non-admin user in horizon. Select "member" or other (except "admin") in the Role.
  2. Login again use the non-admin user.
  3. There is error message in "Compute->Overview" page as
      "Error: Unable to retrieve compute limit information."
      "Error: Unable to retrieve limits information."
  4. Click "Instances", then click "Launch Instance", you will find you cannot launch VM due to lack of resouces.

  After some investigation, it seems it is related to below patch d1084c5f868c7ccce796466626205eb82f893d6f
  limits in nova policy is configured as 
  "os_compute_api:limits: rule:admin_or_owner"
  Before this patch, due to target is None, in nova/policy.py, function authorize. default target will be used.
  "
      # Legacy fallback for emtpy target from context.can()
      # should be removed once we improve testing and scope checks
      if target is None:
          target = default_target(context)
  "
  After the patch, target is {}, not None, and it will lead to policy match failure, due to non-admin user is neither admin nor owner.
  Here is the log from nova-api-osapi:
  Success case for previous openstack:
  {"log":"2020-08-02 00:48:20.894 1 DEBUG oslo_policy.policy [req-fcfc444d-1454-4e56-873e-2cfec149bf1d 77f6b1268a8b43f6b15440614bf77b44 6cbf111887ab4574838dd4cdb2b95691 - default default] enforce: rule=\"os_compute_api:limits\" creds={\"domain_id\": null, \"is_admin\": false, \"is_admin_project\": true, \"project_domain_id\": \"default\", \"project_id\": \"6cbf111887ab4574838dd4cdb2b95691\", \"roles\": [\"reader\", \"member\"], \"service_project_domain_id\": null, \"service_project_id\": null, \"service_roles\": [], \"service_user_domain_id\": null, \"service_user_id\": null, \"system_scope\": null, \"user_domain_id\": \"default\", \"user_id\": \"77f6b1268a8b43f6b15440614bf77b44\"} target={\"project_id\": \"6cbf111887ab4574838dd4cdb2b95691\", \"user_id\": \"77f6b1268a8b43f6b15440614bf77b44\"} enforce /var/lib/openstack/lib/python2.7/site-packages/oslo_policy/policy.py:908\n","stream":"stdout","time":"2020-08-02T00:48:20.895140599Z"}

  Current failure case:
  2020-07-31T07:34:18.106855226Z stdout F 2020-07-31 07:34:18.044 1 DEBUG oslo_policy.policy [req-e136f651-1cc5-48db-9301-a677e02cef8a 16b374ccb9ff413188c027e15698cde1 1f6c6e928fa6499eaad4b32338c48feb - default default] enforce: rule="os_compute_api:limits" creds={"domain_id": null, "is_admin": false, "is_admin_project": true, "project_domain_id": "default", "project_id": "1f6c6e928fa6499eaad4b32338c48feb", "roles": ["reader", "member"], "service_project_domain_id": null, "service_project_id": null, "service_roles": [], "service_user_domain_id": null, "service_user_id": null, "system_scope": null, "user_domain_id": "default", "user_id": "16b374ccb9ff413188c027e15698cde1"} target={} enforce /var/lib/openstack/lib/python3.6/site-packages/oslo_policy/policy.py:951
  2020-07-31T07:34:18.106871012Z stdout F 2020-07-31 07:34:18.045 1 DEBUG nova.policy [req-e136f651-1cc5-48db-9301-a677e02cef8a 16b374ccb9ff413188c027e15698cde1 1f6c6e928fa6499eaad4b32338c48feb - default default] Policy check for os_compute_api:limits failed with credentials {'is_admin': False, 'user_id': '16b374ccb9ff413188c027e15698cde1', 'user_domain_id': 'default', 'system_scope': None, 'domain_id': None, 'project_id': '1f6c6e928fa6499eaad4b32338c48feb', 'project_domain_id': 'default', 'roles': ['reader', 'member'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /var/lib/openstack/lib/python3.6/site-packages/nova/policy.py:193


  
  Expected result
  ===============
  No error message, and user should be able to create vm.

  Actual result
  =============
  Error message, and user cannot create vm.

  Environment
  ===========
  Ussuri openstack in containerized environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1890019/+subscriptions
References

[Bug 1890019] [NEW] Cannot create vm with non admin account
From: Lin Shuicheng, 2020-08-02