Nova: policy file should be managed in compute nodes

Bug #1955786 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Takashi Kajinami

Bug Description

Description
===========
There are some features in nova-compute which validate policy rules.
For example when connecting an instance to an external network, nova-compute checks the ``network:attach_external_network`` policy to determine whether the operation is permitted.

However currently configuration of policy rules are associated with nova-api and is not invoked in compute nodes.

Because of this even if a user tries to update the ``network:attach_external_network`` policy, the definition is applied only in controller nodes and nova-compute can't detect it.

Steps to reproduce
==================
* Deploy overcouloud with NovaApiPolicies
* Check /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova in compute nodes

Expected result
===============
* The polocy file includes the rules defined by NovaApiPolicies

Actual result
=============
* The policy file is not updated and the default empty file is used

Environment
===========
N/A

Logs & Configs
==============
N/A

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)
Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)
Changed in tripleo:
assignee: nobody → Takashi Kajinami (kajinamit)
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/822991
Committed: https://opendev.org/openstack/puppet-tripleo/commit/6cc58e8ac46ec0d4a0b3208b05eaccb289905e31
Submitter: "Zuul (22348)"
Branch: master

commit 6cc58e8ac46ec0d4a0b3208b05eaccb289905e31
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 27 15:42:57 2021 +0900

    Enable policy rule management in nova-compute

    There are some features in nova-compute which validate policy rules.
    For example when connecting an instance to an external network,
    nova-compute checks ``network:attach_external_network`` to determine
    whether the operation is permitted.

    This change makes sure that the nova policy file in compute nodes are
    also managed by puppet-tripleo.

    Partial-Bug: #1955786
    Change-Id: I490cc558238719d4c9585e2a57497d1b1787a9ed

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/822992
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/2a27e8bdbb5655851a65163ff968546233ce0e60
Submitter: "Zuul (22348)"
Branch: master

commit 2a27e8bdbb5655851a65163ff968546233ce0e60
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 27 15:57:02 2021 +0900

    Enable policy rule management in nova-compute

    There are some features in nova-compute which validate policy rules.
    For example when connecting an instance to an external network,
    nova-compute checks ``network:attach_external_network`` to determine
    whether the operation is permitted.

    This change migrates definition of nova::policy hieradata from nova-api
    to nova-base so that the hieradata can be used by both nova-api and
    nova-compute.

    Closes-Bug: #1955786
    Depends-on: https://review.opendev.org/822991
    Change-Id: I90be98d67ede06933bbcf3ad5448365ea220f1a9

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/824690

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 16.0.0

This issue was fixed in the openstack/tripleo-heat-templates 16.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/867605

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/wallaby)

Change abandoned by "Takashi Kajinami <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/824690
Reason: I'll abandon this as it seems there is no interest to have this fixed.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/wallaby)

Change abandoned by "Takashi Kajinami <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/867605
Reason: I'll abandon this as it seems there is no interest to have this fixed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.