Hmm, did something change in Stein on the Cinder side to enforce the
update_volume_admin_metadata policy rule on the os-attach API? I'm not
aware of anything that has changed on the nova side in stein that would
be related to this.
** Also affects: cinder
Importance: Undecided
Status: New
** Tags added: policy volumes
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1848514
Title:
Booting from volume providing an image fails
Status in Cinder:
New
Status in OpenStack Compute (nova):
New
Bug description:
Trying to create an instance (booting from volume when specifying an image)
fails.
Running Stein (19.0.1)
###
When using:
###
nova boot --flavor FLAVOR_ID --block-device
source=image,id=IMAGE_ID,dest=volume,size=10,shutdown=preserve,bootindex=0
INSTANCE_NAME
###
nova-compute logs:
###
Instance failed block device setup Forbidden: Policy doesn't allow
volume:update_volume_admin_metadata to be performed. (HTTP 403)
(Request-ID: req-875cc6e1-ffe1-45dd-b942-944166c6040a)
The full trace:
http://paste.openstack.org/raw/784535/
Definitely this is a policy issue!
Our cinder policy: "volume:update_volume_admin_metadata": "rule:admin_api"
(default)
Using an user with admin credentials works as expected!
Is this expected? we didn't identified this behaviour previously
(before stein) using the same policy for
"update_volume_admin_metadata"
Found an old similar report:
https://bugs.launchpad.net/nova/+bug/1661189
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1848514/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
