← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #88215

[Bug 1960247] Re: server suspend action allows authorization by user_id while server resume action does not

  Thread PreviousDate PreviousThread Next 
ack i kind of agree with gmann here
gmann is correct that this does not align with the direction we are moving in with our new policy/rbac work and that our intent was to eventually remove it outside of keypairs.

the spec linked above clearly state what our intentions were and the
enpoint on which it could be used. as such I'm going to update this to
invalid but we can continue this conversation on the mailing list, irc
or in the nova team meeting.

** Changed in: nova
       Status: In Progress => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1960247

Title:
  server suspend action allows authorization by user_id while server
  resume action does not

Status in OpenStack Compute (nova):
  Opinion

Bug description:
  Description
  ===========
  Since the following change was merged, nova allows authorization by user_id for server suspend action.

  https://review.opendev.org/c/openstack/nova/+/353344

  However the same is not yet implemented in resume action and this
  results in inconsistent policy rule for corresponding two operations.

  Steps to reproduce
  ==================
  * Define policy rules like the following example
    "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"
    "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s"
  * Create a server by a non-admin user
  * Suspend the server by the user
  * Resume the server by the user

  Expected result
  ===============
  Both suspend and resume are accepted

  Actual result
  =============
  Only suspend is accepted and resume fails with

  ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-
  server:suspend to be performed. (HTTP 403) (Request-ID: req-...)

  Environment
  ===========
  This issue was initially reported as one found in stable/xena deployment.
   http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html

  Logs & Configs
  ==============
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1960247/+subscriptions

References

  Thread PreviousDate PreviousThread Next