Cannot suspend instance as regular user

Bug #924417 reported by andrewsben on 2012-01-31
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Brian Waldon

Bug Description

When using a non-admin user calling suspend on an instance results in the error:

novaclient.exceptions.Forbidden: Policy doesn't allow compute_extension:admin_actions to be performed. (HTTP 403)

When doing the same actions as an admin user it works fine.

Create or select instance, assign the object to a var, e.g. server
server.suspend() to suspend instance
displays the previously stated error

Since it is an instance that is in my tenant I can suspend said instance.

Brian Waldon (bcwaldon) wrote :

So this behavior is correct, as the default policy.json file restricts the compute_extension:admin_actions rule to admins. But what makes sense here is to restrict access to the admin OR the owner of the server. Would that work for you?

Brian Waldon (bcwaldon) wrote :

Actually, it might make more sense to leave the scope of this specific rule alone. You could set the policy to an empty ruleset and depend on the compute::... rules (which already check admin or owner).

The fix for this bug is to provide a default ruleset that allows users to use the 'admin_actions' server actions on instances they own. Turns out that extension name doesn't really make sense :(

Changed in nova:
status: New → Triaged
importance: Undecided → Low
assignee: nobody → Brian Waldon (bcwaldon)
milestone: none → essex-4
Brian Waldon (bcwaldon) wrote :

Hmm, I really don't like enabling all of these actions, even to instance owners, by default. The migrate, migrateLive, resetNetwork, lock and unlock shouldn't be exposed to end-users without good reason. Additionally, it wouldn't be a good move to split up an existing extension, but maybe if it maintains the same interface it isn't a big deal...

Anywho, the temporary fix will still work for existing environments.

Brian Waldon (bcwaldon) on 2012-02-01
Changed in nova:
status: Triaged → In Progress

Submitter: Jenkins
Branch: master

commit a2d9645703e54623df3593a3e5629fb3ad60765e
Author: Brian Waldon <email address hidden>
Date: Tue Jan 31 22:56:37 2012 -0800

    Expand policies for admin_actions extension

    Fixes bug 924417

    Change-Id: Ibf62e8e824753dff43e0e86cb9d320086c2c753b

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers