However the same is not yet implemented in resume action and this results in inconsistent policy rule for corresponding two operations.
Steps to reproduce
==================
* Define policy rules like the following example
"os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s"
"os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s"
* Create a server by a non-admin user
* Suspend the server by the user
* Resume the server by the user
Expected result
===============
Both suspend and resume are accepted
Actual result
=============
Only suspend is accepted and resume fails with
ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend-server:suspend to be performed. (HTTP 403) (Request-ID: req-...)
Environment
===========
This issue was initially reported as one found in stable/xena deployment.
Description
===========
Since the following change was merged, nova allows authorization by user_id for server suspend action.
https:/ /review. opendev. org/c/openstack /nova/+ /353344
However the same is not yet implemented in resume action and this results in inconsistent policy rule for corresponding two operations.
Steps to reproduce api:os- suspend- server: suspend" : "rule:admin_api or user_id: %(user_ id)s" api:os- suspend- server: resume" : "rule:admin_api or user_id: %(user_ id)s"
==================
* Define policy rules like the following example
"os_compute_
"os_compute_
* Create a server by a non-admin user
* Suspend the server by the user
* Resume the server by the user
Expected result
===============
Both suspend and resume are accepted
Actual result
=============
Only suspend is accepted and resume fails with
ERROR (Forbidden): Policy doesn't allow os_compute_ api:os- suspend- server: suspend to be performed. (HTTP 403) (Request-ID: req-...)
Environment
===========
This issue was initially reported as one found in stable/xena deployment.
Logs & Configs
==============
N/A