[Yahoo-eng-team] [Bug 1850280] Re: rejecting move operations with qos ports does not work if the operation is called with non admin user

[Matt Riedemann]

** Also affects: nova/train
   Importance: Undecided
       Status: New

** Also affects: nova/stein
   Importance: Undecided
       Status: New

** Changed in: nova/stein
       Status: New => Triaged

** Changed in: nova/stein
   Importance: Undecided => Medium

** Changed in: nova/train
       Status: New => Triaged

** Changed in: nova/train
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1850280

Title:
  rejecting move operations with qos ports does not work if the
  operation is called with non admin user

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Compute (nova) stein series:
  Triaged
Status in OpenStack Compute (nova) train series:
  Triaged

Bug description:
  At the start of the move operation the nova-api checks that the server
  has ports with resource request as some of the move operations are not
  supported for such servers yet. Unfortunately if move the operation is
  called by a non-admin user (either it is a resize, or another move
  operation with explicit policy change) then nova uses the non-admin
  token to query neutron. If the neutron port is queried with a non
  admin token then neutron does not return the resource_request to nova
  in the port response. Therefore nova thinks that the port ha no
  resource request and allows the operation.

  Reproduce in Ussuri
  ===================

  * Boot a server with qos port.
  * Change the nova policy to allow evacuate to be called by the owner of the 
server "os_compute_api:os-evacuate": "rule:admin_or_owner"
  * stop the nova-compute service on the host where the server currently 
running and wait until the controller decides that the compute is done
  * with the non-admin owner initiate the evacuate of the server

  Expected:
  * evacuate rejected

  Actual:
  * evacuate accepted (and later fail due to missing implementation)

  Triage
  ======

  Due to [1] not using an admin client nova does not get the resource
  requests of the attached ports.

  Affected versions and operations
  ================================
  The resize, migrate, live migrate, evacuate, unshelve opertaions are affected 
on master, Train, Stein. 

  [1]
  
https://github.com/openstack/nova/blob/9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626/nova/api/openstack/common.py#L576

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1850280/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp