yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1894975] Re: Cannot overwrite policy rule for 'os_compute_api:servers:create:forced_host'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1894975@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Sep 2020 21:49:44 -0000
Reply-to: Bug 1894975 <1894975@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/751152
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=fd99a7ca0f56223d878142a58525d9ed64c84ed1
Submitter: Zuul
Branch:    master

commit fd99a7ca0f56223d878142a58525d9ed64c84ed1
Author: ericxiett <eric_xiett@xxxxxxx>
Date:   Fri Sep 11 02:03:47 2020 +0000

    Fix error that cannot overwrite policy rule for 'forced_host'
    
    When configure 'os_compute_api:servers:create:forced_host' to
    'rule:admin_or_owner', but still doesn't allow.
    In nova/api/openstack/compute/servers.py#L669, the target is
    set to '{}' that is not equal None, so then it will not be set
    in nova/policy.py#L205.
    This patch configures the target param.
    
    Change-Id: I7a563386bd2f5d1930b5eb2cfc00425a19747e24
    Closes-Bug: #1894975


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1894975

Title:
  Cannot overwrite policy rule for
  'os_compute_api:servers:create:forced_host'

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Description
  ===========
  Change the rule of 'os_compute_api:servers:create:forced_host' 
  to 'rule:admin_or_owner' in policy file.
  But when creating one server with member role, still got 
  "Policy doesn't allow os_compute_api:servers:create:forced_host to be performed. (HTTP 403) (Request-ID: req-199cb105-4c4d-405d-89cf-9059182ec745)"

  Steps to reproduce
  ==================
  * Change policy file
  os_compute_api:servers:create:forced_host: rule:admin_or_owner
  * Reboot nova-api service
  * Create one server with specified host in member role
  openstack server create --image cirros051 --network cps_pxe --flavor m1.tiny --availability-zone :compute01: vm-0909-1

  Expected result
  ===============
  Create server successfully

  Actual result
  =============
  Got "Policy doesn't allow os_compute_api:servers:create:forced_host to be performed. (HTTP 403) (Request-ID: req-199cb105-4c4d-405d-89cf-9059182ec745)"

  Environment
  ===========
  git log
  commit 0d1fd02b301bbc25c75cb2476b24f3be5d7cda77 (HEAD -> stable/rocky, origin/stable/rocky)
  Merge: 837baac9fd c438fd9a0e
  Author: Zuul <zuul@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 3 15:15:47 2020 +0000

      Merge "libvirt: Provide VIR_MIGRATE_PARAM_PERSIST_XML during live
  migration" into stable/rocky

  Logs & Configs
  ==============
  /etc/nova/policy.yaml
  os_compute_api:servers:create:forced_host: rule:admin_or_owner

  /etc/nova/nova.conf
  [oslo_policy]
  policy_file = /etc/nova/policy.yaml

  root@mgt01:~# openstack server create --image cirros051 --network cps_pxe --flavor m1.tiny --availability-zone :compute01: vm-0909-1
  Policy doesn't allow os_compute_api:servers:create:forced_host to be performed. (HTTP 403) (Request-ID: req-199cb105-4c4d-405d-89cf-9059182ec745)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1894975/+subscriptions

References

[Bug 1894975] [NEW] Cannot overwrite policy rule for 'os_compute_api:servers:create:forced_host:'
From: Eric Xie, 2020-09-09