yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #86549
[Bug 1934478] Re: Invalid aliases in nova.policy
Yes, that is expected behaviour actually. Expected I mean until we
remove the legacy policy rules where the reader is nothing but the
owner.
We have not removed the legacy policy support yet and they are still
present as deprecated rule
-
https://github.com/openstack/nova/blob/e7a7fd51d12d045ff134d55a4a1749c1feee0386/nova/policies/base.py#L127
This means, the old tokens still be able to pass the policy check and
create the server. This is with the default policy in code which is your
2nd step.
Project reader in legacy policy is nothing but an owner of the project
because in legacy policy there is no differentiation between the reader
or member role in Nova. so any role in the project is the owner of the
resource and that project so they can create a server. This is how we
kept this policy migration as backward compatible.
Onew you override these policies as you did in step 3 then it removes
the legacy policy support and that is why the reader will not be able to
create a server.
Once we remove the legacy policy support, then new reader role will not
be able to create server on new RBAC.
I hope I clarified the use case. If not please feel free to reopen it,
until now I am marking as invalid because that is behaving as expected.
** Changed in: nova
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1934478
Title:
Invalid aliases in nova.policy
Status in OpenStack Compute (nova):
Invalid
Bug description:
Description
===========
As of the Rocky release, keystone provides three roles called admin,
member, and reader by default. Nova has incorporated those available
roles into default policies in Victora version of OpenStack. Servers
, howver, can still be created by user who has only reader role in
Victoria version. The ambiguos thing is servers cannot be created
when I write the default aliases in the policy.yaml of nova.
Steps to reproduce
==================
1. Assign the reader role to the user, for example:
openstack role add --user alice --project acme reader
2. Create a server in acme project with user alice
openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
3. Add these default aliases to policy.yaml
"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "is_admin:True"
"system_admin_api": "role:admin and system_scope:all"
"system_reader_api": "role:reader and system_scope:all"
"project_admin_api": "role:admin and project_id:%(project_id)s"
"project_member_api": "role:member and project_id:%(project_id)s"
"project_reader_api": "role:reader and project_id:%(project_id)s"
"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
4. repeat the 3 step
Expected result
===============
both the 2 and 4 step cannot create servers
Actual result
=============
the 2 step can create servers successfully
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1934478/+subscriptions
References