Bug 1342601

Summary: Major change in functionality between Nova API v2.0 and v2.1
Product: Red Hat OpenStack Reporter: Irina Petrova <ipetrova>
Component: openstack-novaAssignee: Sylvain Bauza <sbauza>
Status: CLOSED WONTFIX QA Contact: Prasanth Anbalagan <panbalag>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: berrange, dasmith, eglynn, ipetrova, kchamart, pablo.iranzo, rhos-docs, sbauza, sferdjao, sgordon, srevivo, vromanso
Target Milestone: ---Keywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1342596 Environment:
Last Closed: 2016-06-14 12:20:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1342596    
Bug Blocks:    

Comment 7 Irina Petrova 2016-06-14 11:20:14 UTC
Hey Sylvain,

Whenever you have the time, could you please say a word or two on what are your thoughts about this? If you are aware of us having any way to implement authorization based on user_id, now or in the future?

Thanks in advance.


Comment 8 Sylvain Bauza 2016-06-14 12:20:17 UTC
So, the upstream consensus is that the policy modification using user_id was not something Nova was supporting because it was not verified (even not known, only by operators).

When the API version was bumped to v2.1, we then haven't checked if the non-supported features were yet fine. That's not something we can call it a regression if the non-supported feature was no longer working, as also it's not a API modification but rather only a fluke of the policy engine.

That said, the Nova upstream community understands it can be a feature for operators (at least for deleting instances only) and that's why the consensus was also to create a new blueprint (and a spec) for now supporting it in Newton (for v2.1 only since v2.0 is only stable/supported).

Given the above is not yet something merged upstream (even not yet accepted), I think we should WONTFIX the behaviour here for OSP8 (Liberty) and rather change the documentation to explicitly remove any comment about modifying the policy file for that, and rather tell to users that they can use the lock operation for making sure other users (from the same project) can't delete their own instances.

Comment 9 Irina Petrova 2016-06-14 12:59:55 UTC
(In reply to Sylvain Bauza from comment #8)

Awesome, thanks for the link, Sylvain.