Bug 1164271

Summary: nova evacuate not allowed for non-admin even after policy change
Product: Red Hat OpenStack Reporter: Marko Myllynen <myllynen>
Component: openstack-novaAssignee: Sylvain Bauza <sbauza>
Status: CLOSED WONTFIX QA Contact: yeylon <yeylon>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0 (RHEL 7)CC: berrange, dasmith, myllynen, ndipanov, pbrady, sbauza, sferdjao, sgordon, srevivo, vromanso, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: 6.0 (Juno)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-16 15:32:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
nova policy.json none

Description Marko Myllynen 2014-11-14 14:13:28 UTC 
Description of problem:
Evacuation fails for non-admins when a compute node is down even after allowing it in the policy:

[root@slabnode887 ~(keystone_test)]# nova evacuate 92c527a5-a93c-4971-a339-2fb516b0b9f9 slabnode888.example.com
ERROR: Policy doesn't allow compute_extension:evacuate to be performed. (HTTP 403) (Request-ID: req-7aa078d6-ea35-4e94-ad09-6802e1364608)
[root@slabnode887 ~(keystone_test)]# vi /etc/nova/policy.json
[root@slabnode887 ~(keystone_test)]# grep evac /etc/nova/policy.json
    "compute_extension:evacuate": "rule:admin_or_owner",
    "compute_extension:v3:os-evacuate": "rule:admin_or_owner",
    "compute_extension:v3:os-evacuate:discoverable": "",
[root@slabnode887 ~(keystone_test)]# nova evacuate 92c527a5-a93c-4971-a339-2fb516b0b9f9 slabnode888.example.com
ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-d4bc2533-5a25-4d22-b74b-f3f8e8c16cd2)
[root@slabnode887 ~(keystone_test)]# 

There's nothing in any logs except the 403 status in nova-api.log:

2014-11-14 13:45:29.151 5896 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 10.91.132.196
2014-11-14 13:45:29.231 5896 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 10.91.132.196
2014-11-14 13:45:29.388 5896 INFO nova.osapi_compute.wsgi.server [req-cff9ae0e-0350-49d3-9b30-c2d6e352954e bbb744ec890b42acb7f3a86f663736dc 277ed3fc34004564a410d15a067a6ebb] 10.91.132.196 "GET /v2/277ed3fc34004564a410d15a067a6ebb/servers/92c527a5-a93c-4971-a339-2fb516b0b9f9 HTTP/1.1" status: 200 len: 1660 time: 0.2384870
2014-11-14 13:45:29.394 5896 INFO nova.osapi_compute.wsgi.server [req-fab0d8a4-ab27-4183-bae0-f3f843a64902 bbb744ec890b42acb7f3a86f663736dc 277ed3fc34004564a410d15a067a6ebb] 10.91.132.196 "POST /v2/277ed3fc34004564a410d15a067a6ebb/servers/92c527a5-a93c-4971-a339-2fb516b0b9f9/action HTTP/1.1" status: 403 len: 272 time: 0.0034630

Version-Release number of selected component (if applicable):
openstack-nova-api-2014.1.3-4.el7ost.noarch
Comment 2 Sylvain Bauza 2014-11-20 16:55:43 UTC 
Could you please provide us the policy.json file ?
Comment 3 Marko Myllynen 2014-11-26 12:41:31 UTC 
Created attachment 961652 [details]
nova policy.json
Comment 6 Sylvain Bauza 2015-04-22 13:52:54 UTC 
By investigating on the issue, I discovered that Nova still continues to check for some internal methods against an admin context and raises an Exception if the user is not having an admin role.

Consequently, even if policy.json is explicitely allowing end-users to access the API endpoint (like evacuate), an internal method (here service_get_by_compute_node) would be denied for anyone but admins.

I just created an upstream bug https://bugs.launchpad.net/nova/+bug/1447164 but I'm really unsure if the backport could be accepted.

Leaving the bug to ASSIGNED until I gather further feedback.