In case that authorization for deleting a VM instance is done by user_id,
it works fine in V2.0 API, but it does not work in V2.1 API.
[How to reproduce]
In nova policy.json,
Add the following entries(or modify existing entries like the following).
-----------------------------------------------
"user": "user_id:%(user_id)s",
"compute:delete": "rule:user",
"os_compute_api:servers:delete": "rule:user",
-----------------------------------------------
In nova api-paste.ini,
change 'openstack_compute_api_v21_legacy_v2_compatible' to
'openstack_compute_api_legacy_v2' for "/v2" endpoint.
-----------------------------------------------
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_legacy_v2
/v2.1: openstack_compute_api_v21
-----------------------------------------------
In V2.0 API, the authorization by 'user_id' works fine.
Only the user who created a VM instance can delete the VM instance.
In V2.1 API, the authorization by 'user_id' does not work.
Any users in the same project can delete the VM instance that another user created.
stack@devstack-master:/opt/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cd4d65d4f534cd89299bbf31edb37a4 | admin |
| 218e7be255be4c90bf0c4d796a9d509c | nova |
| 357fc80d750646f7b3b56fc1e6792222 | demo |
| 37c5204df2d345fb8a76359966dc8d1b | heat |
| 4a6e928a20a743a6a3d80944c607a22a | neutron |
| 8c613c4691e2447e8082f6c425cd34af | glance |
| 9ab80146bc964e81bfcf3331f6b8bb2d | alt_demo |
| ecd940201f5c45a8833bb739149a54f0 | cinder |
+----------------------------------+----------+
stack@devstack-master:/opt/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 4b7c129ea5ee49d1a620c26272091ec7 | admin |
| 4c3e76d51a3c4df384c74b8cafb3a9cc | invisible_to_admin |
| 533daaf421554a84aa3b023b4a9c341c | demo |
| b04c7788628849a48b831f5ad57e374a | service |
+----------------------------------+--------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute
+-----------+----------------------------------------------------------------------------+
| Field | Value |
+-----------+----------------------------------------------------------------------------+
| endpoints | RegionOne |
| | publicURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | internalURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | adminURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | |
| name | nova |
| type | compute |
+-----------+----------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute_legacy
+-----------+--------------------------------------------------------------------------+
| Field | Value |
+-----------+--------------------------------------------------------------------------+
| endpoints | RegionOne |
| | publicURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | internalURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | adminURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | |
| name | nova_legacy |
| type | compute_legacy |
+-----------+--------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova show server1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | devstack-master |
| OS-EXT-SRV-ATTR:hostname | server1 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master |
| OS-EXT-SRV-ATTR:instance_name | instance-00000004 |
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a |
| OS-EXT-SRV-ATTR:reservation_id | r-workgpr8 |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2016-01-28T06:02:59.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-01-28T06:02:47Z |
| flavor | m1.tiny (1) |
| hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | cb921ee5-07b6-4f2e-b66a-efcc05a74368 |
| image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | server1 |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.10.6, fd7a:6b74:f7b9:0:f816:3eff:fe14:d99 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 533daaf421554a84aa3b023b4a9c341c |
| updated | 2016-01-28T06:02:59Z |
| user_id | 357fc80d750646f7b3b56fc1e6792222 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name alt_demo --os-project-name demo delete server1
Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID: req-cb34aecd-260a-4d50-b481-cd9483ae8745)
ERROR (CommandError): Unable to delete the specified server(s).
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name demo --os-project-name demo delete server1
Request to delete server server1 has been accepted.
stack@devstack-master:/opt/devstack$ nova show server2
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | devstack-master |
| OS-EXT-SRV-ATTR:hostname | server2 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master |
| OS-EXT-SRV-ATTR:instance_name | instance-00000006 |
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a |
| OS-EXT-SRV-ATTR:reservation_id | r-xo3y1bo9 |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2016-01-28T06:06:29.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-01-28T06:06:18Z |
| flavor | m1.tiny (1) |
| hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | c5efae23-b7d6-492c-8a57-578825f8d563 |
| image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | server2 |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.10.8, fd7a:6b74:f7b9:0:f816:3eff:fe81:2b07 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 533daaf421554a84aa3b023b4a9c341c |
| updated | 2016-01-28T06:06:29Z |
| user_id | 357fc80d750646f7b3b56fc1e6792222 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute --os-user-name alt_demo --os-project-name demo delete server2
Request to delete server server2 has been accepted.
[Environment]
Ubuntu 14.04 LTS
nova(master, commit 1dfec7186222054c7bc810c9c6894aeac3173321)
novaclient 3.2.0
I have similar issue and confirmed this can be reproduced