OpenStack Compute (nova)

Compute flavor management not granular enough by policy and code

Bug #1675147 reported by Rick Bartra
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Wishlist
Rick Bartra

Bug Description

We need the Nova policy and code to support more granularity (i.e. Create/Delete) for Flavor management. Current policy check only checks os_compute_api:os-flavor-manage and action(s) are missing in the nova policy-in-code. Each API should have its own policy action that it checks.

The new policy checks should be added here:
https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/flavor_manage.py

Additional policy actions should be added here:
https://github.com/openstack/nova/blob/master/nova/policies/flavor_manage.py

See original description
Rick Bartra (rb560u)
Changed in nova:
assignee: nobody → Rick Bartra (rb560u)
Maciej Szankin (mszankin)
Changed in nova:
status: New → In Progress
Rick Bartra (rb560u)
description: updated
Revision history for this message
Sean Dague (sdague) wrote :

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in nova:
status: In Progress → New
assignee: Rick Bartra (rb560u) → nobody
Revision history for this message
Rick Bartra (rb560u) wrote :

Here is the active review: https://review.openstack.org/#/c/449288/

Changed in nova:
assignee: nobody → Rick Bartra (rb560u)
status: New → In Progress
Matt Riedemann (mriedem)
Changed in nova:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/449288
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a8fd8731d2e5562c5631d6847d4d781ed0a2e772
Submitter: Jenkins
Branch: master

commit a8fd8731d2e5562c5631d6847d4d781ed0a2e772
Author: Rick Bartra <email address hidden>
Date: Tue Jul 18 17:38:52 2017 -0400

    Add policy granularity to the Flavors API

    The same policy rule (os_compute_api:os-flavor-manage) is being used
    for the create and delete actions of the flavors REST API. It is thus
    impossible to provide different RBAC for the create and delete actions
    based on roles. To address this, changes are made to have separate
    policy rules for each action.

    Most other places in nova (and OpenStack in general) have separate
    policy rules for each action. This affords the ultimate flexibility
    to deployers, who can obviously use the same rule if that is what they
    want.

    To address backwards compatibility, the new rules added to the
    flavor_manage.py policy file, default to the existing rule
    (os_compute_api:os-flavor-manage). That way across upgrades this
    should ensure if an existing admin has customised the rule, it keeps
    working, but folks that know about the new setting can override the
    default rule. In addtion, a verify_deprecated_policy method is added
    to see if the old policy action is being configured instead of the
    new actions.

    Closes-Bug: #1675147

    Co-Authored-By: Felipe Monteiro <email address hidden>
    Change-Id: Ic67b52ebac3a47e9fb7e3c0d6c3ce8a6bc539e11

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.0.0.0rc1

This issue was fixed in the openstack/nova 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.