Hi Chen,
> I’m not an experienced developer, so , could you explain more about > “Perhaps the live_migrate task is passing the incorrect context in for > this database query?” ? > Sorry, I should have clarified that that question was for the developers *out there*. (cc's the dev list now). I'm not really a developer either so we will have to see what they say. ;-) > > > Here is what I understand. > > The issue is basically caused by @require_admin_context for > db.service_get_by_compute_host(). > Yes, the request is failing because @require_admin_context only checks for the "admin" role in the context. It's somewhat of a holdover from when there was just admin and everything else. > Then, should this a bug ? > Possibly. I can see why db.service_get_by_compute_host() should be an admin-only call, but I am assuming that there must be a way for nova to switch the running context to itself once it has authorized the live-migrate task. But I suspect few people have tried to allow non-admin's to live-migrate and this is just a bug from that. Why “nova migrate” command do not need to check compute host ? > Sorry, this is a bit fastidious, but I think "nova live-migrate" is what you mean here. "nova migrate", I think, is still a completely separate code-path. live-migrate needs to talk to both the source and destination nova-compute services to coordinate and confirm the migration. > > > > > Thanks. > > -chen > > > > *From:* Scott Devoid [mailto:dev...@anl.gov] > *Sent:* Thursday, June 26, 2014 9:34 AM > *To:* Li, Chen > *Cc:* Sushma Korati; openstack@lists.openstack.org > *Subject:* Re: [Openstack] How can I enable operation for non-admin user > > > > Hi Li, > > > > The problem here is that db.service_get_by_compute_host() requires admin > context. [1] The live_migrate command needs to check that both hosts have a > running nova-compute service before it begins migration. Perhaps the > live_migrate task is passing the incorrect context in for this database > query? [2] I would think that conductor should be running under it's own > context and not the caller's context? (Devs?) > > > > And before someone comments that migration should always be *admin-only*, > I'll point out that there are legitimate reasons an operator might want to > give someone migrate permissions and not all admin permissions. > > > > ~ Scott > > > > [1] > https://github.com/openstack/nova/blob/master/nova/db/sqlalchemy/api.py#L485 > > [2] > https://github.com/openstack/nova/blob/master/nova/conductor/tasks/live_migrate.py#L87 > > > > On Tue, Jun 24, 2014 at 9:11 PM, Li, Chen <chen...@intel.com> wrote: > > Hi Sushma, > > > > Thanks for the reply. > > > > Well, edit /etc/nova/policy.json do works for command “nova migrate”. > > > > But when I run command “nova live-migration”, I still get errors, in > /var/log/nova/conductor.log: > > > > > > 2014-06-25 02:07:23.897 115385 INFO oslo.messaging._drivers.impl_qpid [-] > Connected to AMQP server on 192.168.40.122:5672 > > 2014-06-25 02:08:59.221 115395 ERROR nova.conductor.manager > [req-63f0a004-ef69-47f4-aefb-e0fa194d99b9 fa970646fa92442fa14b2b759cf381a6 > 2eb6bd3a69ad454a90489dd12b9cdf3b] Migration of instance > 446d96d7-2073-46ac-b40c-0f167fbd04b2 to host None unexpectedly failed. > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager Traceback > (most recent call last): > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 757, in > _live_migrate > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager > block_migration, disk_over_commit) > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py", > line 191, in execute > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager return > task.execute() > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py", > line 56, in execute > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager > self._check_host_is_up(self.source) > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/conductor/tasks/live_migrate.py", > line 87, in _check_host_is_up > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager service = > db.service_get_by_compute_host(self.context, host) > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/db/api.py", line 129, in > service_get_by_compute_host > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager return > IMPL.service_get_by_compute_host(context, host) > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/db/sqlalchemy/api.py", line 145, in > wrapper > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager > nova.context.require_admin_context(args[0]) > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager File > "/usr/lib/python2.6/site-packages/nova/context.py", line 195, in > require_admin_context > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager raise > exception.AdminRequired() > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager AdminRequired: > User does not have admin privileges > > 2014-06-25 02:08:59.221 115395 TRACE nova.conductor.manager > > 2014-06-25 02:08:59.226 115395 ERROR oslo.messaging.rpc.dispatcher [-] > Exception during message handling: Migration error: User does not have > admin privileges > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > Traceback (most recent call last): > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line > 133, in _dispatch_and_reply > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > incoming.message)) > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line > 176, in _dispatch > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > return self._do_dispatch(endpoint, method, ctxt, args) > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line > 122, in _do_dispatch > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > result = getattr(endpoint, method)(ctxt, **new_args) > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/server.py", line 139, > in inner > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > return func(*args, **kwargs) > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File > "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 681, in > migrate_server > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > block_migration, disk_over_commit) > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher File > "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 783, in > _live_migrate > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > raise exception.MigrationError(reason=ex) > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > MigrationError: Migration error: User does not have admin privileges > > 2014-06-25 02:08:59.226 115395 TRACE oslo.messaging.rpc.dispatcher > > 2014-06-25 02:08:59.228 115395 ERROR oslo.messaging._drivers.common [-] > Returning exception Migration error: User does not have admin privileges to > caller > > 2014-06-25 02:08:59.228 115395 ERROR oslo.messaging._drivers.common [-] > ['Traceback (most recent call last):\n', ' File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line > 133, in _dispatch_and_reply\n incoming.message))\n', ' File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line > 176, in _dispatch\n return self._do_dispatch(endpoint, method, ctxt, > args)\n', ' File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/dispatcher.py", line > 122, in _do_dispatch\n result = getattr(endpoint, method)(ctxt, > **new_args)\n', ' File > "/usr/lib/python2.6/site-packages/oslo/messaging/rpc/server.py", line 139, > in inner\n return func(*args, **kwargs)\n', ' File > "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 681, in > migrate_server\n block_migration, disk_over_commit)\n', ' File > "/usr/lib/python2.6/site-packages/nova/conductor/manager.py", line 783, in > _live_migrate\n raise exception.MigrationError(reason=ex)\n', > 'MigrationError: Migration error: User does not have admin privileges\n'] > > > > *From:* Sushma Korati [mailto:sushma_kor...@persistent.co.in] > *Sent:* Tuesday, June 24, 2014 4:43 PM > *To:* Li, Chen; openstack@lists.openstack.org > *Subject:* RE: How can I enable operation for non-admin user > > > > > > Hi Li, > > As fas as I know to migrate an instance you'll need admin priviliges. > But if you want to allow this operation for normal user then might try > editing /etc/nova/policy.json file and give privileges. > > File: /etc/nova/policy.json > change "compute_extension:admin_actions:migrate": "rule:admin_api" to > "compute_extension:admin_actions:migrate": "*rule:admin_or_owner*" > > > Regards, > Sushma > > > ------------------------------ > > *From:* Li, Chen <chen...@intel.com> > *Sent:* Tuesday, June 24, 2014 1:44 PM > *To:* openstack@lists.openstack.org > *Subject:* [Openstack] How can I enable operation for non-admin user > > > > Hi list, > > > > I’m working under CentOS + icehouse. > > > > While, I have an non-admin user “demo”, and I can work under this this > user with basic operations. > > Everything works well. > > > > But, I also hope this user can do some admin operations, such as migrate > and so on, because currently when I run command: > > nova migrate ${my_instance} > > I get output: > > ERROR: Policy doesn't allow compute_extension:admin_actions:migrate to be > performed. (HTTP 403) (Request-ID: req-698ad5b5-f1fe-48fc-b81f-a765020bf89f) > > > > Anyone can help me ? > > > > Thanks. > > -chen > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
