OpenStack Compute (nova)

Cannot suspend instance as regular user

Bug #924417 reported by andrewsben on 2012-01-31

10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Low	Brian Waldon	OpenStack Compute (nova) 2012.1 "essex"

Bug Description

When using a non-admin user calling suspend on an instance results in the error:

novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:admin_actions to be performed. (HTTP 403)

When doing the same actions as an admin user it works fine.

Steps:
Create or select instance, assign the object to a var, e.g. server
server.suspend() to suspend instance
displays the previously stated error

Expected:
Since it is an instance that is in my tenant I can suspend said instance.

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-01-31:

#1

So this behavior is correct, as the default policy.json file restricts the compute_extension:admin_actions rule to admins. But what makes sense here is to restrict access to the admin OR the owner of the server. Would that work for you?

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-01-31:

#2

Actually, it might make more sense to leave the scope of this specific rule alone. You could set the policy to an empty ruleset and depend on the compute::... rules (which already check admin or owner).

The fix for this bug is to provide a default ruleset that allows users to use the 'admin_actions' server actions on instances they own. Turns out that extension name doesn't really make sense :(

Changed in nova:
status:	New → Triaged
importance:	Undecided → Low
assignee:	nobody → Brian Waldon (bcwaldon)
milestone:	none → essex-4

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-01-31:

#3

Hmm, I really don't like enabling all of these actions, even to instance owners, by default. The migrate, migrateLive, resetNetwork, lock and unlock shouldn't be exposed to end-users without good reason. Additionally, it wouldn't be a good move to split up an existing extension, but maybe if it maintains the same interface it isn't a big deal...

Anywho, the temporary fix will still work for existing environments.

Brian Waldon (bcwaldon) on 2012-02-01

Changed in nova:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-01: Fix proposed to nova (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/3617

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-01: Fix merged to nova (master)

#5

Reviewed: https://review.openstack.org/3617
Committed: http://github.com/openstack/nova/commit/a2d9645703e54623df3593a3e5629fb3ad60765e
Submitter: Jenkins
Branch: master

commit a2d9645703e54623df3593a3e5629fb3ad60765e
Author: Brian Waldon <email address hidden>
Date: Tue Jan 31 22:56:37 2012 -0800

Expand policies for admin_actions extension

Fixes bug 924417

Change-Id: Ibf62e8e824753dff43e0e86cb9d320086c2c753b

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-02-29

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in nova:
milestone:	essex-4 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.