Non-admin users cannot create reservations with default policy rules

Bug #1663204 reported by Pierre Riteau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Blazar
Fix Released
High
Pierre Riteau

Bug Description

Originally, Blazar was using its service user to manage objects for physical host reservation, such as host aggregates, which by default require admin rights.

Commit 16d5f67ba7020701edbbf09a747f5683b0840c21 changed the code to use a dedicated account configured with the values climate_{username,password,tenant_name}.

Then commit c9b7307cf3c97d3b48878aca6eda5b7fbc4dcfa7 removed this dedicated account to use trusts instead, so that operations will be performed on behalf of the user creating the lease (with the trustee being the blazar service user).

While this works well if the user creating Blazar leases is an admin, a non-admin user will get errors because the default Nova policy doesn't allow many of the required operations (non-exhaustive list):

* "os_compute_api:os-aggregates:set_metadata"
* "os_compute_api:os-aggregates:add_host"
* "os_compute_api:os-aggregates:create"
* "os_compute_api:os-aggregates:remove_host"
* "os_compute_api:os-aggregates:index"
* "os_compute_api:os-aggregates:delete"
* "os_compute_api:os-aggregates:show"
* "os_compute_api:os-hypervisors"

A policy allowing non-admin users to create and manage host aggregates is not a solution, because it would allow users to perform these operations via the Nova API. In particular Blazar needs to remove/add hosts from/to the freepool on their behalf: a policy allowing users to do so would allow them to bypass Blazar reservations.

Pierre Riteau (priteau)
Changed in blazar:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to blazar (master)

Fix proposed to branch: master
Review: https://review.openstack.org/438293

Changed in blazar:
status: Triaged → In Progress
Changed in blazar:
milestone: 0.2.0 → 0.3.0
tags: added: backport-candidates-to-0.2.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to blazar (master)

Reviewed: https://review.openstack.org/438293
Committed: https://git.openstack.org/cgit/openstack/blazar/commit/?id=3de6f73e920a16079b8bead3b94353ae0daf7a6d
Submitter: Jenkins
Branch: master

commit 3de6f73e920a16079b8bead3b94353ae0daf7a6d
Author: Pierre Riteau <email address hidden>
Date: Sun Mar 26 20:34:08 2017 -0500

    Fix physical host reservation for non-admin users

    Originally, Blazar was using its service user to manage objects for
    physical host reservation, e.g. host aggregates, which by default
    requires admin rights. Commit 16d5f67ba7020701edbbf09a747f5683b0840c21
    started using a dedicated account configured with values
    climate_username, climate_password, and climate_tenant_name. Commit
    c9b7307cf3c97d3b48878aca6eda5b7fbc4dcfa7 removed this dedicated account
    and started using trusts instead, so that operations were performed on
    behalf of the user creating the lease (with the trustee being the blazar
    service user).

    While this works well if users creating leases are admins, non-admin
    users will get errors because the default Nova policy prevents them from
    running required operations associated with aggregates and hypervisors.

    Since it is not clear why a dedicated account for admin operations was
    required, this patch brings back the approach used before commit
    16d5f67ba7020701edbbf09a747f5683b0840c21, which was to use the service
    account for admin operations. This allows non-admin users to create
    Blazar leases.

    The nova client setup is updated to authenticate against Keystone v3.

    Change-Id: Iad86bb549aec13edd662965d2f91b68c856ae06c
    Closes-Bug: #1663204

Changed in blazar:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers