OpenStack Compute (nova)

non admin project policy.json declarations ignored for most instance actions

Bug #1607602 reported by Sam Morrison on 2016-07-29

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Confirmed	Medium	Unassigned

Bug Description

I'm trying to allow a certain role to do certain things to any projects instances through policy.json and it isn't working as expected.

I've set the following policies to allow my role to do a "nova show" but with no luck, the same is with any other instance action like start, reboot etc.

"compute:get": "rule:default_or_monitoring",
"compute:get_all": "rule:default_or_monitoring",
"compute:get_all_tenants": "rule:admin_or_monitoring",
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_or_monitoring",
"os_compute_api:servers:index:get_all_tenants": "rule:admin_or_monitoring",
"os_compute_api:servers:detail": "rule:default_or_monitoring",
"os_compute_api:servers:index": "rule:default_or_monitoring",
"os_compute_api:servers:show": "rule:default_or_monitoring",

Upon looking in the code I see that in the DB layer the instance_get function is hard coded to filter by project if the context isn't admin see: HEAD (as of writing)

https://github.com/openstack/nova/blob/d0905df10a48212950c0854597a2df923e6ddd0c/nova/db/sqlalchemy/api.py#L1885

If I remove this project=True flag then everything works as expected.

Nova api otherwise just returns a 404

Tags:

Revision history for this message

Sean Dague (sdague) wrote on 2016-08-01:

Yes, this is definitely the current state of project admin still being somewhat special in code. I think once we get all the policy up into code, we can look into this one in Ocata.

summary:	- policy.json ignored for most instance actions + non admin project policy.json declarations ignored for most instance + actions
Changed in nova:
status:	New → Confirmed
importance:	Undecided → Medium
tags:	added: policy

Sean Dague (sdague) on 2016-08-03

tags:

added: api

Revision history for this message

Alex Xu (xuhj) wrote on 2016-08-04:

yea, we can't list all the instances from the db in the clouds for each api call. But with policy in code, we may discovery whether the current request need list all the instances from the db. +1 look at it in Ocata.

Varsha (varsha-jayaraj94) on 2016-08-05

Changed in nova:
assignee:	nobody → Varsha (varsha-jayaraj94)

Varsha (varsha-jayaraj94) on 2016-08-05

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

Sean Dague (sdague) wrote on 2017-06-23:

There are no currently open reviews on this bug, changing
the status back to the previous state and unassigning. If
there are active reviews related to this bug, please include
links in comments.

Changed in nova:
status:	In Progress → Confirmed
assignee:	Varsha (varsha-jayaraj94) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.