Public bug reported:
In case that authorization for deleting a VM instance is done by user_id,
it works fine in V2.0 API, but it does not work in V2.1 API.
[How to reproduce]
In nova policy.json,
Add the following entries(or modify existing entries like the following).
-----------------------------------------------
"user": "user_id:%(user_id)s",
"compute:delete": "rule:user",
"os_compute_api:servers:delete": "rule:user",
-----------------------------------------------
In nova api-paste.ini,
change 'openstack_compute_api_v21_legacy_v2_compatible' to
'openstack_compute_api_legacy_v2' for "/v2" endpoint.
-----------------------------------------------
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_legacy_v2
/v2.1: openstack_compute_api_v21
-----------------------------------------------
In V2.0 API, the authorization by 'user_id' works fine.
Only the user who created a VM instance can delete the VM instance.
In V2.1 API, the authorization by 'user_id' does not work.
Any users in the same project can delete the VM instance that another user
created.
stack@devstack-master:/opt/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cd4d65d4f534cd89299bbf31edb37a4 | admin |
| 218e7be255be4c90bf0c4d796a9d509c | nova |
| 357fc80d750646f7b3b56fc1e6792222 | demo |
| 37c5204df2d345fb8a76359966dc8d1b | heat |
| 4a6e928a20a743a6a3d80944c607a22a | neutron |
| 8c613c4691e2447e8082f6c425cd34af | glance |
| 9ab80146bc964e81bfcf3331f6b8bb2d | alt_demo |
| ecd940201f5c45a8833bb739149a54f0 | cinder |
+----------------------------------+----------+
stack@devstack-master:/opt/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 4b7c129ea5ee49d1a620c26272091ec7 | admin |
| 4c3e76d51a3c4df384c74b8cafb3a9cc | invisible_to_admin |
| 533daaf421554a84aa3b023b4a9c341c | demo |
| b04c7788628849a48b831f5ad57e374a | service |
+----------------------------------+--------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute
+-----------+----------------------------------------------------------------------------+
| Field | Value
|
+-----------+----------------------------------------------------------------------------+
| endpoints | RegionOne
|
| | publicURL:
http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | internalURL:
http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | adminURL:
http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| |
|
| name | nova
|
| type | compute
|
+-----------+----------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute_legacy
+-----------+--------------------------------------------------------------------------+
| Field | Value
|
+-----------+--------------------------------------------------------------------------+
| endpoints | RegionOne
|
| | publicURL:
http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | internalURL:
http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | adminURL:
http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| |
|
| name | nova_legacy
|
| type | compute_legacy
|
+-----------+--------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova show server1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value
|
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-SRV-ATTR:host | devstack-master
|
| OS-EXT-SRV-ATTR:hostname | server1
|
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master
|
| OS-EXT-SRV-ATTR:instance_name | instance-00000004
|
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502
|
| OS-EXT-SRV-ATTR:launch_index | 0
|
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a
|
| OS-EXT-SRV-ATTR:reservation_id | r-workgpr8
|
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda
|
| OS-EXT-SRV-ATTR:user_data | -
|
| OS-EXT-STS:power_state | 1
|
| OS-EXT-STS:task_state | -
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2016-01-28T06:02:59.000000
|
| OS-SRV-USG:terminated_at | -
|
| accessIPv4 |
|
| accessIPv6 |
|
| config_drive | True
|
| created | 2016-01-28T06:02:47Z
|
| flavor | m1.tiny (1)
|
| hostId |
5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | cb921ee5-07b6-4f2e-b66a-efcc05a74368
|
| image | cirros-0.3.4-x86_64-uec
(b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | -
|
| locked | False
|
| metadata | {}
|
| name | server1
|
| os-extended-volumes:volumes_attached | []
|
| private network | 10.0.10.6,
fd7a:6b74:f7b9:0:f816:3eff:fe14:d99 |
| progress | 0
|
| security_groups | default
|
| status | ACTIVE
|
| tenant_id | 533daaf421554a84aa3b023b4a9c341c
|
| updated | 2016-01-28T06:02:59Z
|
| user_id | 357fc80d750646f7b3b56fc1e6792222
|
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy
--os-user-name alt_demo --os-project-name demo delete server1
Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID:
req-cb34aecd-260a-4d50-b481-cd9483ae8745)
ERROR (CommandError): Unable to delete the specified server(s).
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy
--os-user-name demo --os-project-name demo delete server1
Request to delete server server1 has been accepted.
stack@devstack-master:/opt/devstack$ nova show server2
+--------------------------------------+----------------------------------------------------------------+
| Property | Value
|
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-SRV-ATTR:host | devstack-master
|
| OS-EXT-SRV-ATTR:hostname | server2
|
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master
|
| OS-EXT-SRV-ATTR:instance_name | instance-00000006
|
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502
|
| OS-EXT-SRV-ATTR:launch_index | 0
|
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a
|
| OS-EXT-SRV-ATTR:reservation_id | r-xo3y1bo9
|
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda
|
| OS-EXT-SRV-ATTR:user_data | -
|
| OS-EXT-STS:power_state | 1
|
| OS-EXT-STS:task_state | -
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2016-01-28T06:06:29.000000
|
| OS-SRV-USG:terminated_at | -
|
| accessIPv4 |
|
| accessIPv6 |
|
| config_drive | True
|
| created | 2016-01-28T06:06:18Z
|
| flavor | m1.tiny (1)
|
| hostId |
5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | c5efae23-b7d6-492c-8a57-578825f8d563
|
| image | cirros-0.3.4-x86_64-uec
(b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | -
|
| locked | False
|
| metadata | {}
|
| name | server2
|
| os-extended-volumes:volumes_attached | []
|
| private network | 10.0.10.8,
fd7a:6b74:f7b9:0:f816:3eff:fe81:2b07 |
| progress | 0
|
| security_groups | default
|
| status | ACTIVE
|
| tenant_id | 533daaf421554a84aa3b023b4a9c341c
|
| updated | 2016-01-28T06:06:29Z
|
| user_id | 357fc80d750646f7b3b56fc1e6792222
|
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute --os-user-name
alt_demo --os-project-name demo delete server2
Request to delete server server2 has been accepted.
[Environment]
Ubuntu 14.04 LTS
nova(master, commit 1dfec7186222054c7bc810c9c6894aeac3173321)
novaclient 3.2.0
** Affects: nova
Importance: Undecided
Status: New
** Tags: api
** Tags added: api
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1539351
Title:
Authorization by user_id does not work in V2.1 API
Status in OpenStack Compute (nova):
New
Bug description:
In case that authorization for deleting a VM instance is done by user_id,
it works fine in V2.0 API, but it does not work in V2.1 API.
[How to reproduce]
In nova policy.json,
Add the following entries(or modify existing entries like the following).
-----------------------------------------------
"user": "user_id:%(user_id)s",
"compute:delete": "rule:user",
"os_compute_api:servers:delete": "rule:user",
-----------------------------------------------
In nova api-paste.ini,
change 'openstack_compute_api_v21_legacy_v2_compatible' to
'openstack_compute_api_legacy_v2' for "/v2" endpoint.
-----------------------------------------------
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v2: openstack_compute_api_legacy_v2
/v2.1: openstack_compute_api_v21
-----------------------------------------------
In V2.0 API, the authorization by 'user_id' works fine.
Only the user who created a VM instance can delete the VM instance.
In V2.1 API, the authorization by 'user_id' does not work.
Any users in the same project can delete the VM instance that another user
created.
stack@devstack-master:/opt/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cd4d65d4f534cd89299bbf31edb37a4 | admin |
| 218e7be255be4c90bf0c4d796a9d509c | nova |
| 357fc80d750646f7b3b56fc1e6792222 | demo |
| 37c5204df2d345fb8a76359966dc8d1b | heat |
| 4a6e928a20a743a6a3d80944c607a22a | neutron |
| 8c613c4691e2447e8082f6c425cd34af | glance |
| 9ab80146bc964e81bfcf3331f6b8bb2d | alt_demo |
| ecd940201f5c45a8833bb739149a54f0 | cinder |
+----------------------------------+----------+
stack@devstack-master:/opt/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 4b7c129ea5ee49d1a620c26272091ec7 | admin |
| 4c3e76d51a3c4df384c74b8cafb3a9cc | invisible_to_admin |
| 533daaf421554a84aa3b023b4a9c341c | demo |
| b04c7788628849a48b831f5ad57e374a | service |
+----------------------------------+--------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute
+-----------+----------------------------------------------------------------------------+
| Field | Value
|
+-----------+----------------------------------------------------------------------------+
| endpoints | RegionOne
|
| | publicURL:
http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | internalURL:
http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| | adminURL:
http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c |
| |
|
| name | nova
|
| type | compute
|
+-----------+----------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ openstack catalog show compute_legacy
+-----------+--------------------------------------------------------------------------+
| Field | Value
|
+-----------+--------------------------------------------------------------------------+
| endpoints | RegionOne
|
| | publicURL:
http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | internalURL:
http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| | adminURL:
http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c |
| |
|
| name | nova_legacy
|
| type | compute_legacy
|
+-----------+--------------------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova show server1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value
|
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-SRV-ATTR:host | devstack-master
|
| OS-EXT-SRV-ATTR:hostname | server1
|
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master
|
| OS-EXT-SRV-ATTR:instance_name | instance-00000004
|
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502
|
| OS-EXT-SRV-ATTR:launch_index | 0
|
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a
|
| OS-EXT-SRV-ATTR:reservation_id | r-workgpr8
|
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda
|
| OS-EXT-SRV-ATTR:user_data | -
|
| OS-EXT-STS:power_state | 1
|
| OS-EXT-STS:task_state | -
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2016-01-28T06:02:59.000000
|
| OS-SRV-USG:terminated_at | -
|
| accessIPv4 |
|
| accessIPv6 |
|
| config_drive | True
|
| created | 2016-01-28T06:02:47Z
|
| flavor | m1.tiny (1)
|
| hostId |
5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | cb921ee5-07b6-4f2e-b66a-efcc05a74368
|
| image | cirros-0.3.4-x86_64-uec
(b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | -
|
| locked | False
|
| metadata | {}
|
| name | server1
|
| os-extended-volumes:volumes_attached | []
|
| private network | 10.0.10.6,
fd7a:6b74:f7b9:0:f816:3eff:fe14:d99 |
| progress | 0
|
| security_groups | default
|
| status | ACTIVE
|
| tenant_id | 533daaf421554a84aa3b023b4a9c341c
|
| updated | 2016-01-28T06:02:59Z
|
| user_id | 357fc80d750646f7b3b56fc1e6792222
|
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy
--os-user-name alt_demo --os-project-name demo delete server1
Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID:
req-cb34aecd-260a-4d50-b481-cd9483ae8745)
ERROR (CommandError): Unable to delete the specified server(s).
stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy
--os-user-name demo --os-project-name demo delete server1
Request to delete server server1 has been accepted.
stack@devstack-master:/opt/devstack$ nova show server2
+--------------------------------------+----------------------------------------------------------------+
| Property | Value
|
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-SRV-ATTR:host | devstack-master
|
| OS-EXT-SRV-ATTR:hostname | server2
|
| OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master
|
| OS-EXT-SRV-ATTR:instance_name | instance-00000006
|
| OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502
|
| OS-EXT-SRV-ATTR:launch_index | 0
|
| OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a
|
| OS-EXT-SRV-ATTR:reservation_id | r-xo3y1bo9
|
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda
|
| OS-EXT-SRV-ATTR:user_data | -
|
| OS-EXT-STS:power_state | 1
|
| OS-EXT-STS:task_state | -
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2016-01-28T06:06:29.000000
|
| OS-SRV-USG:terminated_at | -
|
| accessIPv4 |
|
| accessIPv6 |
|
| config_drive | True
|
| created | 2016-01-28T06:06:18Z
|
| flavor | m1.tiny (1)
|
| hostId |
5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 |
| id | c5efae23-b7d6-492c-8a57-578825f8d563
|
| image | cirros-0.3.4-x86_64-uec
(b44a1bbe-3968-4664-898b-40eb81ce6bd5) |
| key_name | -
|
| locked | False
|
| metadata | {}
|
| name | server2
|
| os-extended-volumes:volumes_attached | []
|
| private network | 10.0.10.8,
fd7a:6b74:f7b9:0:f816:3eff:fe81:2b07 |
| progress | 0
|
| security_groups | default
|
| status | ACTIVE
|
| tenant_id | 533daaf421554a84aa3b023b4a9c341c
|
| updated | 2016-01-28T06:06:29Z
|
| user_id | 357fc80d750646f7b3b56fc1e6792222
|
+--------------------------------------+----------------------------------------------------------------+
stack@devstack-master:/opt/devstack$ nova --service-type compute
--os-user-name alt_demo --os-project-name demo delete server2
Request to delete server server2 has been accepted.
[Environment]
Ubuntu 14.04 LTS
nova(master, commit 1dfec7186222054c7bc810c9c6894aeac3173321)
novaclient 3.2.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1539351/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
