yahoo-eng-team team mailing list archive

[zhaoleilc <1934478@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Description
===========
As of the Rocky release, keystone provides three roles called admin, 
member, and reader by default. Nova has incorporated those available 
roles into default policies in Victora version of OpenStack. Servers
, howver, can still be created by user who has only reader role in
Victoria version. The ambiguos thing is servers cannot be created
when I write the default aliases in the policy.yaml of nova.

Steps to reproduce
==================
1. Assign the reader role to the user, for example:
openstack role add  --user alice --project acme reader
2. Create a server in acme project with user alice
openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
3. Add these default aliases to policy.yaml
"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "is_admin:True"
"system_admin_api": "role:admin and system_scope:all"
"system_reader_api": "role:reader and system_scope:all"
"project_admin_api": "role:admin and project_id:%(project_id)s"
"project_member_api": "role:member and project_id:%(project_id)s"
"project_reader_api": "role:reader and project_id:%(project_id)s"
"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
4. repeat the 3 step

Expected result
===============
both the 2 and 4 step cannot create servers

Actual result
=============
the 2 step can create servers successfully

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1934478

Title:
  Invalid aliases in nova.policy

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========
  As of the Rocky release, keystone provides three roles called admin, 
  member, and reader by default. Nova has incorporated those available 
  roles into default policies in Victora version of OpenStack. Servers
  , howver, can still be created by user who has only reader role in
  Victoria version. The ambiguos thing is servers cannot be created
  when I write the default aliases in the policy.yaml of nova.

  Steps to reproduce
  ==================
  1. Assign the reader role to the user, for example:
  openstack role add  --user alice --project acme reader
  2. Create a server in acme project with user alice
  openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
  3. Add these default aliases to policy.yaml
  "context_is_admin": "role:admin"
  "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
  "admin_api": "is_admin:True"
  "system_admin_api": "role:admin and system_scope:all"
  "system_reader_api": "role:reader and system_scope:all"
  "project_admin_api": "role:admin and project_id:%(project_id)s"
  "project_member_api": "role:member and project_id:%(project_id)s"
  "project_reader_api": "role:reader and project_id:%(project_id)s"
  "system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
  "system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
  4. repeat the 3 step

  Expected result
  ===============
  both the 2 and 4 step cannot create servers

  Actual result
  =============
  the 2 step can create servers successfully

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1934478/+subscriptions