rejecting move operations with qos ports does not work if the operation is called with non admin user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Balazs Gibizer | ||
Stein |
Fix Committed
|
Medium
|
Balazs Gibizer | ||
Train |
Fix Committed
|
Medium
|
Balazs Gibizer |
Bug Description
At the start of the move operation the nova-api checks that the server has ports with resource request as some of the move operations are not supported for such servers yet. Unfortunately if move the operation is called by a non-admin user (either it is a resize, or another move operation with explicit policy change) then nova uses the non-admin token to query neutron. If the neutron port is queried with a non admin token then neutron does not return the resource_request to nova in the port response. Therefore nova thinks that the port ha no resource request and allows the operation.
Reproduce in Ussuri
===================
* Boot a server with qos port.
* Change the nova policy to allow evacuate to be called by the owner of the server "os_compute_
* stop the nova-compute service on the host where the server currently running and wait until the controller decides that the compute is done
* with the non-admin owner initiate the evacuate of the server
Expected:
* evacuate rejected
Actual:
* evacuate accepted (and later fail due to missing implementation)
Triage
======
Due to [1] not using an admin client nova does not get the resource requests of the attached ports.
Affected versions and operations
=======
The resize, migrate, live migrate, evacuate, unshelve opertaions are affected on master, Train, Stein.
Changed in nova: | |
assignee: | nobody → Balazs Gibizer (balazs-gibizer) |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: neutron |
description: | updated |
Changed in nova: | |
assignee: | Balazs Gibizer (balazs-gibizer) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Balazs Gibizer (balazs-gibizer) |
Fix proposed to branch: master /review. opendev. org/691900
Review: https:/