Hi Scott, Thanks for the reply.
I’m not an experienced developer, so , could you explain more about “Perhaps the live_migrate task is passing the incorrect context in for this database query?” ? Here is what I understand. The issue is basically caused by @require_admin_context for db.service_get_by_compute_host(). Then, should this a bug ? Why “nova migrate” command do not need to check compute host ? Thanks. -chen From: Scott Devoid [mailto:dev...@anl.gov] Sent: Thursday, June 26, 2014 9:34 AM To: Li, Chen Cc: Sushma Korati; openstack@lists.openstack.org Subject: Re: [Openstack] How can I enable operation for non-admin user Hi Li, The problem here is that db.service_get_by_compute_host() requires admin context. [1] The live_migrate command needs to check that both hosts have a running nova-compute service before it begins migration. Perhaps the live_migrate task is passing the incorrect context in for this database query? [2] I would think that conductor should be running under it's own context and not the caller's context? (Devs?) And before someone comments that migration should always be *admin-only*, I'll point out that there are legitimate reasons an operator might want to give someone migrate permissions and not all admin permissions. ~ Scott [1] https://github.com/openstack/nova/blob/master/nova/db/sqlalchemy/api.py#L485 [2] https://github.com/openstack/nova/blob/master/nova/conductor/tasks/live_migrate.py#L87 On Tue, Jun 24, 2014 at 9:11 PM, Li, Chen <chen...@intel.com<mailto:chen...@intel.com>> wrote: Hi Sushma, Thanks for the reply. Well, edit /etc/nova/policy.json do works for command “nova migrate”. But when I run command “nova live-migration”, I still get errors, in /var/log/nova/conductor.log: 2014-06-25 02:07:23.897 115385 INFO oslo.messaging._drivers.impl_qpid [-] Connected to AMQP server on 192.168.40.122:5672<http://192.168.40.122:5672> 2014-06-25 02:08:59.221 115395 ERROR nova.conductor.manager [req-63f0a004-ef69-47f4-aefb-e0fa194d99b9 fa970646fa92442fa14b2b759cf381a6 2eb6bd3a69ad454a90489dd12b9cdf3b] Migration of instance 446d96d7-2073-46ac-b40c-0f167fbd04b2 to host None unexpectedly failed. 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager Traceback (most recent call last): 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 757, in _live_migrate 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager block_migration, disk_over_commit) 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py", line 191, in execute 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager return task.execute() 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py", line 56, in execute 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager self._check_host_is_up(self.source) 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py", line 87, in _check_host_is_up 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager service = db.service_get_by_compute_host(self.context, host) 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/db/api.py", line 129, in service_get_by_compute_host 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager return IMPL.service_get_by_compute_host(context, host) 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/db/sqlalchemy/api.py", line 145, in wrapper 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager nova.context.require_admin_context(args[0]) 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File "/usr/lib/python2.6/site-packages/nova/context.py", line 195, in require_admin_context 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager raise exception.AdminRequired() 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager AdminRequired: User does not have admin privileges 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager 2014-06-25 02:08:59.226 115395 ERROR oslo.messaging.rpc.dispatcher [-] Exception during message handling: Migration error: User does not have admin privileges 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher Traceback (most recent call last): 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line 133, in _dispatch_and_reply 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher incoming.message)) 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line 176, in _dispatch 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher return self._do_dispatch(endpoint, method, ctxt, args) 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line 122, in _do_dispatch 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher result = getattr(endpoint, method)(ctxt, **new_args) 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/server.py", line 139, in inner 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher return func(*args, **kwargs) 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 681, in migrate_server 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher block_migration, disk_over_commit) 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 783, in _live_migrate 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher raise exception.MigrationError(reason=ex) 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher MigrationError: Migration error: User does not have admin privileges 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher 2014-06-25 02:08:59.228 115395 ERROR oslo.messaging._drivers.common [-] Returning exception Migration error: User does not have admin privileges to caller 2014-06-25 02:08:59.228 115395 ERROR oslo.messaging._drivers.common [-] ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line 133, in _dispatch_and_reply\n incoming.message))\n', ' File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line 176, in _dispatch\n return self._do_dispatch(endpoint, method, ctxt, args)\n', ' File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line 122, in _do_dispatch\n result = getattr(endpoint, method)(ctxt, **new_args)\n', ' File "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/server.py", line 139, in inner\n return func(*args, **kwargs)\n', ' File "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 681, in migrate_server\n block_migration, disk_over_commit)\n', ' File "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 783, in _live_migrate\n raise exception.MigrationError(reason=ex)\n', 'MigrationError: Migration error: User does not have admin privileges\n'] From: Sushma Korati [mailto:sushma_kor...@persistent.co.in<mailto:sushma_kor...@persistent.co.in>] Sent: Tuesday, June 24, 2014 4:43 PM To: Li, Chen; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: RE: How can I enable operation for non-admin user Hi Li, As fas as I know to migrate an instance you'll need admin priviliges. But if you want to allow this operation for normal user then might try editing /etc/nova/policy.json file and give privileges. File: /etc/nova/policy.json change "compute_extension:admin_actions:migrate": "rule:admin_api" to "compute_extension:admin_actions:migrate": "rule:admin_or_owner" Regards, Sushma ________________________________ From: Li, Chen <chen...@intel.com<mailto:chen...@intel.com>> Sent: Tuesday, June 24, 2014 1:44 PM To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: [Openstack] How can I enable operation for non-admin user Hi list, I’m working under CentOS + icehouse. While, I have an non-admin user “demo”, and I can work under this this user with basic operations. Everything works well. But, I also hope this user can do some admin operations, such as migrate and so on, because currently when I run command: nova migrate ${my_instance} I get output: ERROR: Policy doesn't allow compute_extension:admin_actions:migrate to be performed. (HTTP 403) (Request-ID: req-698ad5b5-f1fe-48fc-b81f-a765020bf89f) Anyone can help me ? Thanks. -chen _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
