OpenStack Compute (nova)

os_compute_api:servers:create:attach_network does not account for networks='none' (or 'auto') and microversion 2.37

Bug #1686113 reported by Matt Riedemann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Jianghua Wang

Bug Description

Before microversion 2.37 the 'networks' key in the POST /servers request body could be omitted if you just wanted a port automatically allocated on an available network for the project.

With microversion >= 2.37, you must specify the networks key and it can be a specific network, or one of two enums: 'auto' or 'none'.

The 'auto' case is semantically the same as not specifying networks before microversion 2.37. If one is available to the project, it will be used. If more than one is available, the server create request fails since Nova can't decide which network to use. If none are available, the server does not get any networking.

The 'none' case is for specifically saying you don't want networking attached to the server.

The "os_compute_api:servers:create:attach_network" policy rule is checked in the REST API here:

https://github.com/openstack/nova/blob/3d09b67205db06ce67f2ad84e973edc11b6cbb98/nova/api/openstack/compute/servers.py#L533

That is only checked if specific networks are requested, but it's not accounting for the special 'auto' or 'none' cases.

This means that if you change the policy rule from it's default admin_or_owner to say admin-only, for example, and you are using microversion >= 2.37, where the "networks" key is required, server creates will always fail for non-admins, even if 'auto' or 'none' are specified.

Tags: api policy
Matt Riedemann (mriedem)
summary: os_compute_api:servers:create:attach_network does not account for
- networks='none' and microversion 2.37
+ networks='none' (or 'auto') and microversion 2.37
Jianghua Wang (wjh-fresh)
Changed in nova:
assignee: nobody → Jianghua Wang (wjh-fresh)
Revision history for this message
Jianghua Wang (wjh-fresh) wrote :

when networks='none', it shouldn't verify the policy at all as no network will be attached.
But for network="auto", it should check policy rule as it does need a network attached:
   https://developer.openstack.org/api-ref/compute/?expanded=create-server-detail
   auto tells the Compute service to use a network that is available to the project, if one exists. If one does not exist, the Compute service will attempt to automatically allocate a network for the project (if possible).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/465903

Changed in nova:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/465903
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=36ef45edda4c5e8b357abb90ec6cd56ce945e783
Submitter: Jenkins
Branch: master

commit 36ef45edda4c5e8b357abb90ec6cd56ce945e783
Author: jianghua wang <email address hidden>
Date: Thu May 18 10:29:13 2017 +0100

    Skip policy rules on attach_network for none network allocation

    With microversion >= 2.37 and change the value for policy
    "os_compute_api:servers:create:attach_network" from default -
    "admin_or_owner" e.g. admin_api, it will always fail the server
    create for non-admins, even when the network is "none".

    Change-Id: Ic21598f4f31f73ee319e1b58a55dadeeba2644b2
    Closes-bug: 1686113

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.0.0.0b2

This issue was fixed in the openstack/nova 16.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.