Reproduced the same problem on Ussuri when trying to extend already attached volume as a regular user (a user assigned 'member' role only). Steps to recreate:
1. OpenStack Ussuri, charm: cinder| ussuri/edge | rev. 568
2. create a volume and attach it to a VM
3. as a user with the 'member' role assigned to the project try to extend the volume:
`cinder extend <vol id> <new size>
4. the command completes with the rc 0 (all good), `openstack volume show` shows new size but cinder-volume.log contains following error and the volume size from the VM perspective remains unchanged:
#### actual 403 error message from nova #####
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova [req-13d1093e-9a7f-4f03-b505-c985d9d45691 754c0e6eae22488982f393b69e9800a3 d6761dacbb0649189a07a4a1a191a8c0 - 6a4439622e71431c8b96073e33c3b7e1 6a4439622e71431c8b96073e33c3b7e1] Failed to notify nova on events: [{'name': 'volume-extended', 'server_uuid': '3d51176f-281c-4ab3-8631-042ccd407d1d', 'tag': '99c14113-f1ed-4e28-a9b9-54c7eb862db8'}].: novaclient.exceptions.Forbidden: Policy doesn't allow os_compute_api:os-server-external-events:create to be performed. (HTTP 403) (Request-ID: req-6a908980-00ae-455e-b8fb-aab951032251)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova Traceback (most recent call last):
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/python3/dist-packages/cinder/compute/nova.py", line 149, in _send_events
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova response = nova.server_external_events.create(events)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/python3/dist-packages/novaclient/v2/server_external_events.py", line 38, in create
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova return self._create('/os-server-external-events', body, 'events',
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/python3/dist-packages/novaclient/base.py", line 363, in _create
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova resp, body = self.api.client.post(url, body=body)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/python3/dist-packages/keystoneauth1/adapter.py", line 392, in post
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova return self.request(url, 'POST', **kwargs)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/python3/dist-packages/novaclient/client.py", line 78, in request
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova raise exceptions.from_response(resp, body, url, method)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova novaclient.exceptions.Forbidden: Policy doesn't allow os_compute_api:os-server-external-events:create to be performed. (HTTP 403) (Request-ID: req-6a908980-00ae-455e-b8fb-aab951032251)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova
#### successful completion - that is wrong ####
2022-11-21 12:53:22.880 1243598 INFO cinder.volume.manager [req-13d1093e-9a7f-4f03-b505-c985d9d45691 754c0e6eae22488982f393b69e9800a3 d6761dacbb0649189a07a4a1a191a8c0 - 6a4439622e71431c8b96073e33c3b7e1 6a4439622e71431c8b96073e33c3b7e1] Extend volume completed successfully.
This is because if the [nova] section in the cinder.conf is missing, the api request to the nova-api from the cinder is executed as the user who initiated the cinder cli call (in the case above its 754c0e6eae22488982f393b69e9800a3) who does not have privileges to execute 'volume-extend'.
Adding following [nova] section to the cinder.conf solves the problem:
[nova]
url = <nova api url>
region_name = <region>
auth_url = <keystone api url>
auth_type = password
project_domain_name = <project_domain>
user_domain_name = <nova_user_domain>
project_name = <project_name>
username = nova
password = <password>
Please provide the fix to the Ussuri version of the charm (ussri channel).
Thank you.
Reproduced the same problem on Ussuri when trying to extend already attached volume as a regular user (a user assigned 'member' role only). Steps to recreate:
1. OpenStack Ussuri, charm: cinder| ussuri/edge | rev. 568 9a7f-4f03- b505-c985d9d456 91 754c0e6eae22488 982f393b69e9800 a3 d6761dacbb06491 89a07a4a1a191a8 c0 - 6a4439622e71431 c8b96073e33c3b7 e1 6a4439622e71431 c8b96073e33c3b7 e1] Failed to notify nova on events: [{'name': 'volume-extended', 'server_uuid': '3d51176f- 281c-4ab3- 8631-042ccd407d 1d', 'tag': '99c14113- f1ed-4e28- a9b9-54c7eb862d b8'}].: novaclient. exceptions. Forbidden: Policy doesn't allow os_compute_ api:os- server- external- events: create to be performed. (HTTP 403) (Request-ID: req-6a908980- 00ae-455e- b8fb-aab9510322 51) python3/ dist-packages/ cinder/ compute/ nova.py" , line 149, in _send_events external_ events. create( events) python3/ dist-packages/ novaclient/ v2/server_ external_ events. py", line 38, in create '/os-server- external- events' , body, 'events', python3/ dist-packages/ novaclient/ base.py" , line 363, in _create client. post(url, body=body) python3/ dist-packages/ keystoneauth1/ adapter. py", line 392, in post python3/ dist-packages/ novaclient/ client. py", line 78, in request from_response( resp, body, url, method) exceptions. Forbidden: Policy doesn't allow os_compute_ api:os- server- external- events: create to be performed. (HTTP 403) (Request-ID: req-6a908980- 00ae-455e- b8fb-aab9510322 51)
2. create a volume and attach it to a VM
3. as a user with the 'member' role assigned to the project try to extend the volume:
`cinder extend <vol id> <new size>
4. the command completes with the rc 0 (all good), `openstack volume show` shows new size but cinder-volume.log contains following error and the volume size from the VM perspective remains unchanged:
#### actual 403 error message from nova #####
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova [req-13d1093e-
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova Traceback (most recent call last):
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova response = nova.server_
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova return self._create(
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova resp, body = self.api.
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova return self.request(url, 'POST', **kwargs)
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova File "/usr/lib/
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova raise exceptions.
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova novaclient.
2022-11-21 12:53:22.806 1243598 ERROR cinder.compute.nova
#### successful completion - that is wrong #### volume. manager [req-13d1093e- 9a7f-4f03- b505-c985d9d456 91 754c0e6eae22488 982f393b69e9800 a3 d6761dacbb06491 89a07a4a1a191a8 c0 - 6a4439622e71431 c8b96073e33c3b7 e1 6a4439622e71431 c8b96073e33c3b7 e1] Extend volume completed successfully.
2022-11-21 12:53:22.880 1243598 INFO cinder.
This is because if the [nova] section in the cinder.conf is missing, the api request to the nova-api from the cinder is executed as the user who initiated the cinder cli call (in the case above its 754c0e6eae22488 982f393b69e9800 a3) who does not have privileges to execute 'volume-extend'.
Adding following [nova] section to the cinder.conf solves the problem:
[nova]
url = <nova api url>
region_name = <region>
auth_url = <keystone api url>
auth_type = password
project_domain_name = <project_domain>
user_domain_name = <nova_user_domain>
project_name = <project_name>
username = nova
password = <password>
Please provide the fix to the Ussuri version of the charm (ussri channel).
Thank you.