Bug 1342596

Summary: [Docs] [Nova] Major change in functionality between Nova API v2.0 and v2.1
Product: Red Hat OpenStack Reporter: Irina Petrova <ipetrova>
Component: documentationAssignee: Martin Lopes <mlopes>
Status: CLOSED CURRENTRELEASE QA Contact: Radek Bíba <rbiba>
Severity: high Docs Contact:
Priority: high    
Version: 8.0 (Liberty)CC: adahms, ipetrova, mlopes, pcaruana, srevivo
Target Milestone: asyncKeywords: Documentation, ZStream
Target Release: 8.0 (Liberty)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1342601 (view as bug list) Environment:
Last Closed: 2016-07-11 07:55:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1342601    

Description Irina Petrova 2016-06-03 15:55:19 UTC 
Description of problem:

Major change in functionality between Nova API v2.0 and v2.1 requires acknowledgment since it contradicts our current documentation and introduces security risks if left unnoticed.

[1] https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/appendix-a-the-policyjson-file

[2] https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/configuration-reference/appendix-a-the-policyjson-file

Documentation [1] & [2] should get a footnote specifying that the aforementioned functionality is limited to Nova API v2.0 and currently does *not* apply to Nova API v2.1.


...as obvious from the upstream code:
https://bugs.launchpad.net/nova/+bug/1539351
// ^ comments #8 through #16 ^


Case:

In case that authorization for deleting a VM instance is done by user_id,
it works fine in V2.0 API, but it does not work in V2.1 API.

[How to reproduce]
In nova policy.json,
Add the following entries(or modify existing entries like the following).

-----------------------------------------------
"user": "user_id:%(user_id)s",
"compute:delete": "rule:user",
"os_compute_api:servers:delete": "rule:user",
-----------------------------------------------

In nova api-paste.ini,
change 'openstack_compute_api_v21_legacy_v2_compatible' to
'openstack_compute_api_legacy_v2' for "/v2" endpoint.

-----------------------------------------------
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_legacy_v2
/v2.1: openstack_compute_api_v21
-----------------------------------------------

In V2.0 API, the authorization by 'user_id' works fine.
Only the user who created a VM instance can delete the VM instance.

In V2.1 API, the authorization by 'user_id' does not work.
Any users in the same project can delete the VM instance that another user created.

stack@devstack-master:/opt/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cd4d65d4f534cd89299bbf31edb37a4 | admin |
| 218e7be255be4c90bf0c4d796a9d509c | nova |
| 357fc80d750646f7b3b56fc1e6792222 | demo |
| 37c5204df2d345fb8a76359966dc8d1b | heat |
| 4a6e928a20a743a6a3d80944c607a22a | neutron |
| 8c613c4691e2447e8082f6c425cd34af | glance |
| 9ab80146bc964e81bfcf3331f6b8bb2d | alt_demo |
| ecd940201f5c45a8833bb739149a54f0 | cinder |
+----------------------------------+----------+
stack@devstack-master:/opt/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 4b7c129ea5ee49d1a620c26272091ec7 | admin |
| 4c3e76d51a3c4df384c74b8cafb3a9cc | invisible_to_admin |
| 533daaf421554a84aa3b023b4a9c341c | demo |
| b04c7788628849a48b831f5ad57e374a | service |
+----------------------------------+--------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute
+-----------+----------------------------------------------------------------------------+
| Field | Value |
+-----------+----------------------------------------------------------------------------+
| endpoints | RegionOne |
| | publicURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | internalURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | adminURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | |
| name | nova |
| type | compute |
+-----------+----------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute_legacy
+-----------+--------------------------------------------------------------------------+
| Field | Value |
+-----------+--------------------------------------------------------------------------+
| endpoints | RegionOne |
| | publicURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | internalURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | adminURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | |
| name | nova_legacy |
| type | compute_legacy |
+-----------+--------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova show server1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | devstack-master |
| OS-EXT-SRV-ATTR:hostname | server1 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master |
| OS-EXT-SRV-ATTR:instance_name | instance-00000004 |
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a |
| OS-EXT-SRV-ATTR:reservation_id | r-workgpr8 |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2016-01-28T06:02:59.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-01-28T06:02:47Z |
| flavor | m1.tiny (1) |
| hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | cb921ee5-07b6-4f2e-b66a-efcc05a74368 |
| image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | server1 |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.10.6, fd7a:6b74:f7b9:0:f816:3eff:fe14:d99 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 533daaf421554a84aa3b023b4a9c341c |
| updated | 2016-01-28T06:02:59Z |
| user_id | 357fc80d750646f7b3b56fc1e6792222 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name alt_demo --os-project-name demo delete server1
Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID: req-cb34aecd-260a-4d50-b481-cd9483ae8745)
ERROR (CommandError): Unable to delete the specified server(s).
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name demo --os-project-name demo delete server1
Request to delete server server1 has been accepted.

stack@devstack-master:/opt/devstack$ nova show server2
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | devstack-master |
| OS-EXT-SRV-ATTR:hostname | server2 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master |
| OS-EXT-SRV-ATTR:instance_name | instance-00000006 |
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a |
| OS-EXT-SRV-ATTR:reservation_id | r-xo3y1bo9 |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2016-01-28T06:06:29.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-01-28T06:06:18Z |
| flavor | m1.tiny (1) |
| hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | c5efae23-b7d6-492c-8a57-578825f8d563 |
| image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | server2 |
| os-extended-volumes:volumes_attached | [] |
| private network | 10.0.10.8, fd7a:6b74:f7b9:0:f816:3eff:fe81:2b07 |
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 533daaf421554a84aa3b023b4a9c341c |
| updated | 2016-01-28T06:06:29Z |
| user_id | 357fc80d750646f7b3b56fc1e6792222 |
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute --os-user-name alt_demo --os-project-name demo delete server2
Request to delete server server2 has been accepted.
Comment 2 Andrew Dahms 2016-06-16 01:25:44 UTC 
Assigning to Martin for review.
Comment 5 Martin Lopes 2016-06-17 06:59:14 UTC 
Republished guides with note in Appendix A:

"The following functionality is limited to Nova API v2.0, and currently does not apply to Nova API v2.1"


Links:
https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/appendix-a-the-policyjson-file

https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/configuration-reference/appendix-a-the-policyjson-file
Comment 6 Martin Lopes 2016-06-17 07:00:10 UTC 
For docs QE:

Added this note:
----
<note><para>The following functionality is limited to Nova API v2.0, and currently does <emphasis>not</emphasis> apply to Nova API v2.1</para></note>
----

To these sections:
https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/appendix-a-the-policyjson-file

https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/configuration-reference/appendix-a-the-policyjson-file
Comment 7 Radek Bíba 2016-06-20 06:32:13 UTC 
I would use a full stop at the end of the sentence. What do you think?
Comment 9 Martin Lopes 2016-06-23 04:39:33 UTC 
I initially thought it would make sense to omit the full stop to avoid any ambiguity about version numbers, but I think the reader would be able to discern this. Added full stop to gitlab draft.
Comment 10 Radek Bíba 2016-06-23 05:56:48 UTC 
Thanks, Martin. I believe it'll be clear that the full stop marks the end of the sentence and isn't part of the version string. AFAIK, version strings generally don't end with full stops, anyway.

I don't see the updates at the Portal, but I see them in git. Presumably, you're going to republish the docs shortly. Moving to VERIFIED.
Comment 11 Andrew Dahms 2016-07-11 07:55:55 UTC 
This content is now live on the Customer Portal.

Closing.