Public bug reported: Description =========== Since the following change was merged, nova allows authorization by user_id for server suspend action.
https://review.opendev.org/c/openstack/nova/+/353344 However the same is not yet implemented in resume action and this results in inconsistent policy rule for corresponding two operations. Steps to reproduce ================== * Define policy rules like the following example "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s" "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s" * Create a server by a non-admin user * Suspend the server by the user * Resume the server by the user Expected result =============== Both suspend and resume are accepted Actual result ============= Only suspend is accepted and resume fails with ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend- server:suspend to be performed. (HTTP 403) (Request-ID: req-...) Environment =========== This issue was initially reported as one found in stable/xena deployment. http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html Logs & Configs ============== N/A ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1960247 Title: server suspend action allows authorization by user_id while server resume action does not Status in OpenStack Compute (nova): New Bug description: Description =========== Since the following change was merged, nova allows authorization by user_id for server suspend action. https://review.opendev.org/c/openstack/nova/+/353344 However the same is not yet implemented in resume action and this results in inconsistent policy rule for corresponding two operations. Steps to reproduce ================== * Define policy rules like the following example "os_compute_api:os-suspend-server:suspend": "rule:admin_api or user_id:%(user_id)s" "os_compute_api:os-suspend-server:resume": "rule:admin_api or user_id:%(user_id)s" * Create a server by a non-admin user * Suspend the server by the user * Resume the server by the user Expected result =============== Both suspend and resume are accepted Actual result ============= Only suspend is accepted and resume fails with ERROR (Forbidden): Policy doesn't allow os_compute_api:os-suspend- server:suspend to be performed. (HTTP 403) (Request-ID: req-...) Environment =========== This issue was initially reported as one found in stable/xena deployment. http://lists.openstack.org/pipermail/openstack-discuss/2022-February/027078.html Logs & Configs ============== N/A To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1960247/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp