Hmm, did something change in Stein on the Cinder side to enforce the update_volume_admin_metadata policy rule on the os-attach API? I'm not aware of anything that has changed on the nova side in stein that would be related to this.
** Also affects: cinder Importance: Undecided Status: New ** Tags added: policy volumes -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1848514 Title: Booting from volume providing an image fails Status in Cinder: New Status in OpenStack Compute (nova): New Bug description: Trying to create an instance (booting from volume when specifying an image) fails. Running Stein (19.0.1) ### When using: ### nova boot --flavor FLAVOR_ID --block-device source=image,id=IMAGE_ID,dest=volume,size=10,shutdown=preserve,bootindex=0 INSTANCE_NAME ### nova-compute logs: ### Instance failed block device setup Forbidden: Policy doesn't allow volume:update_volume_admin_metadata to be performed. (HTTP 403) (Request-ID: req-875cc6e1-ffe1-45dd-b942-944166c6040a) The full trace: http://paste.openstack.org/raw/784535/ Definitely this is a policy issue! Our cinder policy: "volume:update_volume_admin_metadata": "rule:admin_api" (default) Using an user with admin credentials works as expected! Is this expected? we didn't identified this behaviour previously (before stein) using the same policy for "update_volume_admin_metadata" Found an old similar report: https://bugs.launchpad.net/nova/+bug/1661189 To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1848514/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp