Volume-based snapshot policies have no effect.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
Medium
|
Sergey Nikitin |
Bug Description
Detailed bug description:
In an attempt to block users from creating snapshots from volumes, the following policies were modified in /etc/nova/
# grep 'volume_snapshot*' /etc/nova/
"compute:
"compute:
Steps to reproduce:
1. Modify /etc/nova/
"compute:
"compute:
1. In Horizon, go to Project > Compute >> Volumes
2. Create 1GB empty volume.
3. Select "More >> Create Snapshot"
4. Snapshot is created under the "Volume Snapshots" tab.
Expected results:
User is unauthorized to perform requested action when attempting to create a snapshot from a volume.
Actual result:
User is able to create a snapshot from a volume.
Reproducibility:
Reproducible in MOS 5.1 -> 9.0.
Workaround:
N/A
Impact:
Prevents modified policies from taking effect.
Description of the environment:
- Operation system: Ubuntu 14.04
- Versions of components: MOS 5.1
- Network model: Neutron + VLAN
tags: | added: customer-found |
tags: | added: t1 |
Changed in mos: | |
assignee: | nobody → MOS Nova (mos-nova) |
importance: | Undecided → Medium |
status: | New → Confirmed |
milestone: | none → 9.2 |
tags: | added: area-nova |
tags: |
added: ct1 removed: t1 |
summary: |
- Volume snapshot policies have no effect. + Volume-based snapshot policies have no effect. |
Changed in mos: | |
assignee: | MOS Nova (mos-nova) → Sergey Nikitin (snikitin) |
To create a snapshot you use "Project > Compute >> Volumes". This is a Cinder API. But you tried to disable snapshot creation by changing Nova policy "/etc/nova/ policy. json".
To disable snapshot creation you need to modify Cinder's policy file "/etc/cinder/ policy. json". In this file you need to change value of filed "volume: delete_ snapshot" from "rule:admin_ or_owner" to "!".