I think we have now decided the old behavior was never intended, and will not be supported in Nova moving forward. Permission restriction should be by project_id.
** Changed in: nova Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1539351 Title: Authorization by user_id does not work in V2.1 API Status in OpenStack Compute (nova): Won't Fix Bug description: In case that authorization for deleting a VM instance is done by user_id, it works fine in V2.0 API, but it does not work in V2.1 API. [How to reproduce] In nova policy.json, Add the following entries(or modify existing entries like the following). ----------------------------------------------- "user": "user_id:%(user_id)s", "compute:delete": "rule:user", "os_compute_api:servers:delete": "rule:user", ----------------------------------------------- In nova api-paste.ini, change 'openstack_compute_api_v21_legacy_v2_compatible' to 'openstack_compute_api_legacy_v2' for "/v2" endpoint. ----------------------------------------------- [composite:osapi_compute] use = call:nova.api.openstack.urlmap:urlmap_factory /: oscomputeversions /v2: openstack_compute_api_legacy_v2 /v2.1: openstack_compute_api_v21 ----------------------------------------------- In V2.0 API, the authorization by 'user_id' works fine. Only the user who created a VM instance can delete the VM instance. In V2.1 API, the authorization by 'user_id' does not work. Any users in the same project can delete the VM instance that another user created. stack@devstack-master:/opt/devstack$ openstack user list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 1cd4d65d4f534cd89299bbf31edb37a4 | admin | | 218e7be255be4c90bf0c4d796a9d509c | nova | | 357fc80d750646f7b3b56fc1e6792222 | demo | | 37c5204df2d345fb8a76359966dc8d1b | heat | | 4a6e928a20a743a6a3d80944c607a22a | neutron | | 8c613c4691e2447e8082f6c425cd34af | glance | | 9ab80146bc964e81bfcf3331f6b8bb2d | alt_demo | | ecd940201f5c45a8833bb739149a54f0 | cinder | +----------------------------------+----------+ stack@devstack-master:/opt/devstack$ openstack project list +----------------------------------+--------------------+ | ID | Name | +----------------------------------+--------------------+ | 4b7c129ea5ee49d1a620c26272091ec7 | admin | | 4c3e76d51a3c4df384c74b8cafb3a9cc | invisible_to_admin | | 533daaf421554a84aa3b023b4a9c341c | demo | | b04c7788628849a48b831f5ad57e374a | service | +----------------------------------+--------------------+ stack@devstack-master:/opt/devstack$ openstack catalog show compute +-----------+----------------------------------------------------------------------------+ | Field | Value | +-----------+----------------------------------------------------------------------------+ | endpoints | RegionOne | | | publicURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c | | | internalURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c | | | adminURL: http://10.0.2.15:8774/v2.1/533daaf421554a84aa3b023b4a9c341c | | | | | name | nova | | type | compute | +-----------+----------------------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ openstack catalog show compute_legacy +-----------+--------------------------------------------------------------------------+ | Field | Value | +-----------+--------------------------------------------------------------------------+ | endpoints | RegionOne | | | publicURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c | | | internalURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c | | | adminURL: http://10.0.2.15:8774/v2/533daaf421554a84aa3b023b4a9c341c | | | | | name | nova_legacy | | type | compute_legacy | +-----------+--------------------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ nova show server1 +--------------------------------------+----------------------------------------------------------------+ | Property | Value | +--------------------------------------+----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | devstack-master | | OS-EXT-SRV-ATTR:hostname | server1 | | OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master | | OS-EXT-SRV-ATTR:instance_name | instance-00000004 | | OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 | | OS-EXT-SRV-ATTR:launch_index | 0 | | OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a | | OS-EXT-SRV-ATTR:reservation_id | r-workgpr8 | | OS-EXT-SRV-ATTR:root_device_name | /dev/vda | | OS-EXT-SRV-ATTR:user_data | - | | OS-EXT-STS:power_state | 1 | | OS-EXT-STS:task_state | - | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2016-01-28T06:02:59.000000 | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | config_drive | True | | created | 2016-01-28T06:02:47Z | | flavor | m1.tiny (1) | | hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 | | id | cb921ee5-07b6-4f2e-b66a-efcc05a74368 | | image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) | | key_name | - | | locked | False | | metadata | {} | | name | server1 | | os-extended-volumes:volumes_attached | [] | | private network | 10.0.10.6, fd7a:6b74:f7b9:0:f816:3eff:fe14:d99 | | progress | 0 | | security_groups | default | | status | ACTIVE | | tenant_id | 533daaf421554a84aa3b023b4a9c341c | | updated | 2016-01-28T06:02:59Z | | user_id | 357fc80d750646f7b3b56fc1e6792222 | +--------------------------------------+----------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name alt_demo --os-project-name demo delete server1 Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID: req-cb34aecd-260a-4d50-b481-cd9483ae8745) ERROR (CommandError): Unable to delete the specified server(s). stack@devstack-master:/opt/devstack$ nova --service-type compute_legacy --os-user-name demo --os-project-name demo delete server1 Request to delete server server1 has been accepted. stack@devstack-master:/opt/devstack$ nova show server2 +--------------------------------------+----------------------------------------------------------------+ | Property | Value | +--------------------------------------+----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | devstack-master | | OS-EXT-SRV-ATTR:hostname | server2 | | OS-EXT-SRV-ATTR:hypervisor_hostname | devstack-master | | OS-EXT-SRV-ATTR:instance_name | instance-00000006 | | OS-EXT-SRV-ATTR:kernel_id | b0d768cd-3483-4e25-8b9d-9d8863f16502 | | OS-EXT-SRV-ATTR:launch_index | 0 | | OS-EXT-SRV-ATTR:ramdisk_id | cacd6bf4-fd74-49b5-9b62-7094d576ea6a | | OS-EXT-SRV-ATTR:reservation_id | r-xo3y1bo9 | | OS-EXT-SRV-ATTR:root_device_name | /dev/vda | | OS-EXT-SRV-ATTR:user_data | - | | OS-EXT-STS:power_state | 1 | | OS-EXT-STS:task_state | - | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2016-01-28T06:06:29.000000 | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | config_drive | True | | created | 2016-01-28T06:06:18Z | | flavor | m1.tiny (1) | | hostId | 5084983d07d356ef1de4eacd7a1ad854a39e6f39582715bc9aed7097 | | id | c5efae23-b7d6-492c-8a57-578825f8d563 | | image | cirros-0.3.4-x86_64-uec (b44a1bbe-3968-4664-898b-40eb81ce6bd5) | | key_name | - | | locked | False | | metadata | {} | | name | server2 | | os-extended-volumes:volumes_attached | [] | | private network | 10.0.10.8, fd7a:6b74:f7b9:0:f816:3eff:fe81:2b07 | | progress | 0 | | security_groups | default | | status | ACTIVE | | tenant_id | 533daaf421554a84aa3b023b4a9c341c | | updated | 2016-01-28T06:06:29Z | | user_id | 357fc80d750646f7b3b56fc1e6792222 | +--------------------------------------+----------------------------------------------------------------+ stack@devstack-master:/opt/devstack$ nova --service-type compute --os-user-name alt_demo --os-project-name demo delete server2 Request to delete server server2 has been accepted. [Environment] Ubuntu 14.04 LTS nova(master, commit 1dfec7186222054c7bc810c9c6894aeac3173321) novaclient 3.2.0 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1539351/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp