OpenStack Compute (nova)

  1. Bug #1960247
  2. Activity log

Activity log for bug #1960247

Date Who What changed Old value New value Message
2022-02-07 15:46:38 Takashi Kajinami bug added bug
2022-02-07 15:53:37 Takashi Kajinami description Description =========== Since the following change was merged, nova allows authorization by user_id for server suspend action. https://review.opendev.org/c/openstack/nova/+/353344 However the same is not yet implemented in resume action and this results in inconsistent policy rule for corresponding two operations. Steps to reproduce ================== * Define policy rules like the following example "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s" "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s" * Create a server by a non-admin user * Suspend the server by the user * Resume the server by the user Expected result =============== Both suspend and resume are accepted Actual result ============= Only suspend is accepted and resume fails with ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403) (Request-ID: req-...) Environment =========== This issue was initially reported as one found in stable/xena deployment. Logs & Configs ============== N/A Description =========== Since the following change was merged, nova allows authorization by user_id for server suspend action. https://review.opendev.org/c/openstack/nova/+/353344 However the same is not yet implemented in resume action and this results in inconsistent policy rule for corresponding two operations. Steps to reproduce ================== * Define policy rules like the following example   "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"   "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s" * Create a server by a non-admin user * Suspend the server by the user * Resume the server by the user Expected result =============== Both suspend and resume are accepted Actual result ============= Only suspend is accepted and resume fails with ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403) (Request-ID: req-...) Environment =========== This issue was initially reported as one found in stable/xena deployment. http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html Logs & Configs ============== N/A
2022-02-07 16:01:16 OpenStack Infra nova: status New In Progress
2022-02-07 16:02:41 Takashi Kajinami nova: assignee Takashi Kajinami (kajinamit)
2022-02-07 16:56:53 massimo.sgaravatto bug added subscriber massimo.sgaravatto
2022-02-07 17:21:43 sean mooney nova: importance Undecided Wishlist
2022-02-07 17:28:45 sean mooney nova: status In Progress Opinion