← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1960247] [NEW] server suspend action allows authorization by user_id while server resume action does not

 

Public bug reported:

Description
===========
Since the following change was merged, nova allows authorization by user_id for server suspend action.

https://review.opendev.org/c/openstack/nova/+/353344

However the same is not yet implemented in resume action and this
results in inconsistent policy rule for corresponding two operations.

Steps to reproduce
==================
* Define policy rules like the following example
  "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"
  "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s"
* Create a server by a non-admin user
* Suspend the server by the user
* Resume the server by the user

Expected result
===============
Both suspend and resume are accepted

Actual result
=============
Only suspend is accepted and resume fails with

ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-
server:suspend to be performed. (HTTP 403) (Request-ID: req-...)

Environment
===========
This issue was initially reported as one found in stable/xena deployment.
 http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html

Logs & Configs
==============
N/A

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1960247

Title:
  server suspend action allows authorization by user_id while server
  resume action does not

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========
  Since the following change was merged, nova allows authorization by user_id for server suspend action.

  https://review.opendev.org/c/openstack/nova/+/353344

  However the same is not yet implemented in resume action and this
  results in inconsistent policy rule for corresponding two operations.

  Steps to reproduce
  ==================
  * Define policy rules like the following example
    "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"
    "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s"
  * Create a server by a non-admin user
  * Suspend the server by the user
  * Resume the server by the user

  Expected result
  ===============
  Both suspend and resume are accepted

  Actual result
  =============
  Only suspend is accepted and resume fails with

  ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-
  server:suspend to be performed. (HTTP 403) (Request-ID: req-...)

  Environment
  ===========
  This issue was initially reported as one found in stable/xena deployment.
   http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html

  Logs & Configs
  ==============
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1960247/+subscriptions



Follow ups