Mirantis OpenStack

Volume-based snapshot policies have no effect.

Bug #1651296 reported by Matthew Roark on 2016-12-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Invalid	Medium	Sergey Nikitin	Mirantis OpenStack 9.2

Bug Description

Detailed bug description:
In an attempt to block users from creating snapshots from volumes, the following policies were modified in /etc/nova/policy.json:

# grep 'volume_snapshot*' /etc/nova/policy.json
"compute:volume_snapshot_create": "!",
"compute:volume_snapshot_delete": "!",

Steps to reproduce:
1. Modify /etc/nova/policy.json as follows:
"compute:volume_snapshot_create": "!",
"compute:volume_snapshot_delete": "!",
1. In Horizon, go to Project > Compute >> Volumes
2. Create 1GB empty volume.
3. Select "More >> Create Snapshot"
4. Snapshot is created under the "Volume Snapshots" tab.
Expected results:
User is unauthorized to perform requested action when attempting to create a snapshot from a volume.
Actual result:
User is able to create a snapshot from a volume.
Reproducibility:
Reproducible in MOS 5.1 -> 9.0.
Workaround:
N/A
Impact:
Prevents modified policies from taking effect.
Description of the environment:
- Operation system: Ubuntu 14.04
- Versions of components: MOS 5.1
- Network model: Neutron + VLAN

Tags:

Matthew Roark (mroark) on 2016-12-20

tags:	added: customer-found
tags:	added: t1

Vitaly Sedelnik (vsedelnik) on 2016-12-21

Changed in mos:
assignee:	nobody → MOS Nova (mos-nova)
importance:	Undecided → Medium
status:	New → Confirmed
milestone:	none → 9.2
tags:	added: area-nova
tags:	added: ct1 removed: t1

Matthew Roark (mroark) on 2016-12-21

summary:

- Volume snapshot policies have no effect.
+ Volume-based snapshot policies have no effect.

Sergey Nikitin (snikitin) on 2016-12-22

Changed in mos:
assignee:	MOS Nova (mos-nova) → Sergey Nikitin (snikitin)

Revision history for this message

Sergey Nikitin (snikitin) wrote on 2016-12-22:

To create a snapshot you use "Project > Compute >> Volumes". This is a Cinder API. But you tried to disable snapshot creation by changing Nova policy "/etc/nova/policy.json".

To disable snapshot creation you need to modify Cinder's policy file "/etc/cinder/policy.json". In this file you need to change value of filed "volume:delete_snapshot" from "rule:admin_or_owner" to "!".

Changed in mos:
status:	Confirmed → Invalid

Revision history for this message

Sergey Nikitin (snikitin) wrote on 2016-12-22:

I meant "volume:create_snapshot"

Revision history for this message

Matthew Roark (mroark) wrote on 2016-12-23:

@snikitin: Thank you for pointing this out. The "volume:create_snapshot" option doesn't appear to be present in policy.json by default up until MOS 9.0; however, it does retroactively work none the less after adding it manually.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.