Bug 1164271 - nova evacuate not allowed for non-admin even after policy change
Summary: nova evacuate not allowed for non-admin even after policy change
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 6.0 (Juno)
Assignee: Sylvain Bauza
QA Contact: yeylon@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-14 14:13 UTC by Marko Myllynen
Modified: 2019-09-09 15:28 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-16 15:32:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
nova policy.json (16.41 KB, text/plain)
2014-11-26 12:41 UTC, Marko Myllynen 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1447164 0 None None None Never

Description Marko Myllynen 2014-11-14 14:13:28 UTC 
Description of problem:
Evacuation fails for non-admins when a compute node is down even after allowing it in the policy:

[root@slabnode887 ~(keystone_test)]# nova evacuate 92c527a5-a93c-4971-a339-2fb516b0b9f9 slabnode888.example.com
ERROR: Policy doesn't allow compute_extension:evacuate to be performed. (HTTP 403) (Request-ID: req-7aa078d6-ea35-4e94-ad09-6802e1364608)
[root@slabnode887 ~(keystone_test)]# vi /etc/nova/policy.json
[root@slabnode887 ~(keystone_test)]# grep evac /etc/nova/policy.json
    "compute_extension:evacuate": "rule:admin_or_owner",
    "compute_extension:v3:os-evacuate": "rule:admin_or_owner",
    "compute_extension:v3:os-evacuate:discoverable": "",
[root@slabnode887 ~(keystone_test)]# nova evacuate 92c527a5-a93c-4971-a339-2fb516b0b9f9 slabnode888.example.com
ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-d4bc2533-5a25-4d22-b74b-f3f8e8c16cd2)
[root@slabnode887 ~(keystone_test)]# 

There's nothing in any logs except the 403 status in nova-api.log:

2014-11-14 13:45:29.151 5896 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 10.91.132.196
2014-11-14 13:45:29.231 5896 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 10.91.132.196
2014-11-14 13:45:29.388 5896 INFO nova.osapi_compute.wsgi.server [req-cff9ae0e-0350-49d3-9b30-c2d6e352954e bbb744ec890b42acb7f3a86f663736dc 277ed3fc34004564a410d15a067a6ebb] 10.91.132.196 "GET /v2/277ed3fc34004564a410d15a067a6ebb/servers/92c527a5-a93c-4971-a339-2fb516b0b9f9 HTTP/1.1" status: 200 len: 1660 time: 0.2384870
2014-11-14 13:45:29.394 5896 INFO nova.osapi_compute.wsgi.server [req-fab0d8a4-ab27-4183-bae0-f3f843a64902 bbb744ec890b42acb7f3a86f663736dc 277ed3fc34004564a410d15a067a6ebb] 10.91.132.196 "POST /v2/277ed3fc34004564a410d15a067a6ebb/servers/92c527a5-a93c-4971-a339-2fb516b0b9f9/action HTTP/1.1" status: 403 len: 272 time: 0.0034630

Version-Release number of selected component (if applicable):
openstack-nova-api-2014.1.3-4.el7ost.noarch
Comment 2 Sylvain Bauza 2014-11-20 16:55:43 UTC 
Could you please provide us the policy.json file ?
Comment 3 Marko Myllynen 2014-11-26 12:41:31 UTC 
Created attachment 961652 [details]
nova policy.json
Comment 6 Sylvain Bauza 2015-04-22 13:52:54 UTC 
By investigating on the issue, I discovered that Nova still continues to check for some internal methods against an admin context and raises an Exception if the user is not having an admin role.

Consequently, even if policy.json is explicitely allowing end-users to access the API endpoint (like evacuate), an internal method (here service_get_by_compute_node) would be denied for anyone but admins.

I just created an upstream bug https://bugs.launchpad.net/nova/+bug/1447164 but I'm really unsure if the backport could be accepted.

Leaving the bug to ASSIGNED until I gather further feedback.
Note You need to log in before you can comment on or make changes to this bug.