host-list policy irrelevant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
There are some compute REST APIs where the policy setting is irrelevant because they require admin. host-list is an example.
To recreate, start with devstack, set up so that you're running as demo user.
$ export OS_USERNAME=demo
$ export OS_PASSWORD=mypwd
$ export OS_TENANT_NAME=demo
$ export OS_AUTH_URL=http://
$ export OS_NO_CACHE=1
# First try with the default policy:
$ grep compute_
"compute_
$ nova host-list
ERROR: Policy doesn't allow compute_
# Change policy so that anyone can view hosts:
$ grep compute_
"compute_
$ nova host-list
ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-48983c2e-
It was expected that since I configured the policy so that anyone could view hosts that a non-admin user could list hosts.
Nova should respect the policy that the admin configured and not force its own.
Changed in nova: | |
assignee: | nobody → Ivan-Zhu (ivan-zhu) |
Changed in nova: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: api |
This because there are @require_ admin_context in /nova/db/ sqlalchemy/ api.py. Change policy.json just allow regular user can use this api, but in db level it also need admin privileges. I think these operation must be executed by admin user.