Description of problem: Major change in functionality between Nova API v2.0 and v2.1 requires acknowledgment since it contradicts our current documentation and introduces security risks if left unnoticed. [1] https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/appendix-a-the-policyjson-file [2] https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/configuration-reference/appendix-a-the-policyjson-file Documentation [1] & [2] should get a footnote specifying that the aforementioned functionality is limited to Nova API v2.0 and currently does *not* apply to Nova API v2.1. ...as obvious from the upstream code: https://bugs.launchpad.net/nova/+bug/1539351 // ^ comments #8 through #16 ^ Case: In case that authorization for deleting a VM instance is done by user_id, it works fine in V2.0 API, but it does not work in V2.1 API. [How to reproduce] In nova policy.json, Add the following entries(or modify existing entries like the following). ----------------------------------------------- "user": "user_id:%(user_id)s", "compute:delete": "rule:user", "os_compute_api:servers:delete": "rule:user", ----------------------------------------------- In nova api-paste.ini, change 'openstack_compute_api_v21_legacy_v2_compatible' to 'openstack_compute_api_legacy_v2' for "/v2" endpoint. ----------------------------------------------- [composite:osapi_compute] use = call:nova.api.openstack.urlmap:urlmap_factory /: oscomputeversions /v2: openstack_compute_api_legacy_v2 /v2.1: openstack_compute_api_v21 ----------------------------------------------- In V2.0 API, the authorization by 'user_id' works fine. Only the user who created a VM instance can delete the VM instance. In V2.1 API, the authorization by 'user_id' does not work. Any users in the same project can delete the VM instance that another user created. stack@devstack-master:/opt/devstack$ openstack user list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 1cd4d65d4f534cd89299bbf31edb37a4 | admin | | 218e7be255be4c90bf0c4d796a9d509c | nova | | 357fc80d750646f7b3b56fc1e6792222 | demo | | 37c5204df2d345fb8a76359966dc8d1b | heat | | 4a6e928a20a743a6a3d80944c607a22a | neutron | | 8c613c4691e2447e8082f6c425cd34af | glance | | 9ab80146bc964e81bfcf3331f6b8bb2d | alt_demo | | ecd940201f5c45a8833bb739149a54f0 | cinder | +----------------------------------+----------+ stack@devstack-master:/opt/devstack$ openstack project list +----------------------------------+--------------------+ | ID | Name | +----------------------------------+--------------------+ | 4b7c129ea5ee49d1a620c26272091ec7 | admin | | 4c3e76d51a3c4df384c74b8cafb3a9cc | invisible_to_admin | | 533daaf421554a84aa3b023b4a9c341c | demo | | b04c7788628849a48b831f5ad57e374a | service | +----------------------------------+--------------------+ stack@devstack-master:/opt/devstack$ openstack catalog show compute +-----------+----------------------------------------------------------------------------+ | Field | Value | +-----------+----------------------------------------------------------------------------+ | endpoints | RegionOne | | | publicURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c | | | internalURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c | | | adminURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c | | | | | name | nova | | type | compute | +-----------+----------------------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ openstack catalog show compute_legacy +-----------+--------------------------------------------------------------------------+ | Field | Value | +-----------+--------------------------------------------------------------------------+ | endpoints | RegionOne | | | publicURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c | | | internalURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c | | | adminURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c | | | | | name | nova_legacy | | type | compute_legacy | +-----------+--------------------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ nova show server1 +--------------------------------------+----------------------------------------------------------------+ | Property | Value | +--------------------------------------+----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | devstack-master | | OS-EXT-SRV-ATTR:hostname | server1 | | OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master | | OS-EXT-SRV-ATTR:instance_name | instance-00000004 | | OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 | | OS-EXT-SRV-ATTR:launch_index | 0 | | OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a | | OS-EXT-SRV-ATTR:reservation_id | r-workgpr8 | | OS-EXT-SRV-ATTR:root_device_name | /dev/vda | | OS-EXT-SRV-ATTR:user_data | - | | OS-EXT-STS:power_state | 1 | | OS-EXT-STS:task_state | - | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2016-01-28T06:02:59.000000 | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | config_drive | True | | created | 2016-01-28T06:02:47Z | | flavor | m1.tiny (1) | | hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 | | id | cb921ee5-07b6-4f2e-b66a-efcc05a74368 | | image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) | | key_name | - | | locked | False | | metadata | {} | | name | server1 | | os-extended-volumes:volumes_attached | [] | | private network | 10.0.10.6, fd7a:6b74:f7b9:0:f816:3eff:fe14:d99 | | progress | 0 | | security_groups | default | | status | ACTIVE | | tenant_id | 533daaf421554a84aa3b023b4a9c341c | | updated | 2016-01-28T06:02:59Z | | user_id | 357fc80d750646f7b3b56fc1e6792222 | +--------------------------------------+----------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name alt_demo --os-project-name demo delete server1 Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID: req-cb34aecd-260a-4d50-b481-cd9483ae8745) ERROR (CommandError): Unable to delete the specified server(s). stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name demo --os-project-name demo delete server1 Request to delete server server1 has been accepted. stack@devstack-master:/opt/devstack$ nova show server2 +--------------------------------------+----------------------------------------------------------------+ | Property | Value | +--------------------------------------+----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | devstack-master | | OS-EXT-SRV-ATTR:hostname | server2 | | OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master | | OS-EXT-SRV-ATTR:instance_name | instance-00000006 | | OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 | | OS-EXT-SRV-ATTR:launch_index | 0 | | OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a | | OS-EXT-SRV-ATTR:reservation_id | r-xo3y1bo9 | | OS-EXT-SRV-ATTR:root_device_name | /dev/vda | | OS-EXT-SRV-ATTR:user_data | - | | OS-EXT-STS:power_state | 1 | | OS-EXT-STS:task_state | - | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2016-01-28T06:06:29.000000 | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | config_drive | True | | created | 2016-01-28T06:06:18Z | | flavor | m1.tiny (1) | | hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 | | id | c5efae23-b7d6-492c-8a57-578825f8d563 | | image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) | | key_name | - | | locked | False | | metadata | {} | | name | server2 | | os-extended-volumes:volumes_attached | [] | | private network | 10.0.10.8, fd7a:6b74:f7b9:0:f816:3eff:fe81:2b07 | | progress | 0 | | security_groups | default | | status | ACTIVE | | tenant_id | 533daaf421554a84aa3b023b4a9c341c | | updated | 2016-01-28T06:06:29Z | | user_id | 357fc80d750646f7b3b56fc1e6792222 | +--------------------------------------+----------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ nova --service-type compute --os-user-name alt_demo --os-project-name demo delete server2 Request to delete server server2 has been accepted.
Assigning to Martin for review.
Republished guides with note in Appendix A: "The following functionality is limited to Nova API v2.0, and currently does not apply to Nova API v2.1" Links: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/appendix-a-the-policyjson-file https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/configuration-reference/appendix-a-the-policyjson-file
For docs QE: Added this note: ---- <note><para>The following functionality is limited to Nova API v2.0, and currently does <emphasis>not</emphasis> apply to Nova API v2.1</para></note> ---- To these sections: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/appendix-a-the-policyjson-file https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/configuration-reference/appendix-a-the-policyjson-file
I would use a full stop at the end of the sentence. What do you think?
I initially thought it would make sense to omit the full stop to avoid any ambiguity about version numbers, but I think the reader would be able to discern this. Added full stop to gitlab draft.
Thanks, Martin. I believe it'll be clear that the full stop marks the end of the sentence and isn't part of the version string. AFAIK, version strings generally don't end with full stops, anyway. I don't see the updates at the Portal, but I see them in git. Presumably, you're going to republish the docs shortly. Moving to VERIFIED.
This content is now live on the Customer Portal. Closing.