yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88213
[Bug 1960247] [NEW] server suspend action allows authorization by user_id while server resume action does not
Public bug reported:
Description
===========
Since the following change was merged, nova allows authorization by user_id for server suspend action.
https://review.opendev.org/c/openstack/nova/+/353344
However the same is not yet implemented in resume action and this
results in inconsistent policy rule for corresponding two operations.
Steps to reproduce
==================
* Define policy rules like the following example
"os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"
"os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s"
* Create a server by a non-admin user
* Suspend the server by the user
* Resume the server by the user
Expected result
===============
Both suspend and resume are accepted
Actual result
=============
Only suspend is accepted and resume fails with
ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-
server:suspend to be performed. (HTTP 403) (Request-ID: req-...)
Environment
===========
This issue was initially reported as one found in stable/xena deployment.
http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html
Logs & Configs
==============
N/A
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1960247
Title:
server suspend action allows authorization by user_id while server
resume action does not
Status in OpenStack Compute (nova):
New
Bug description:
Description
===========
Since the following change was merged, nova allows authorization by user_id for server suspend action.
https://review.opendev.org/c/openstack/nova/+/353344
However the same is not yet implemented in resume action and this
results in inconsistent policy rule for corresponding two operations.
Steps to reproduce
==================
* Define policy rules like the following example
"os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"
"os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s"
* Create a server by a non-admin user
* Suspend the server by the user
* Resume the server by the user
Expected result
===============
Both suspend and resume are accepted
Actual result
=============
Only suspend is accepted and resume fails with
ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-
server:suspend to be performed. (HTTP 403) (Request-ID: req-...)
Environment
===========
This issue was initially reported as one found in stable/xena deployment.
http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html
Logs & Configs
==============
N/A
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1960247/+subscriptions
Follow ups