diff options
| author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2021-06-02 20:27:09 -0500 |
|---|---|---|
| committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2021-06-02 20:27:09 -0500 |
| commit | 2c761066e0a2a3eaafa4919ec5102f68d401f050 (patch) | |
| tree | d067b852aebd43dde9fa67ae0963b1ead0800c9f /nova/policies | |
| parent | cd084aeeb8a2110759912c1b529917a9d3aac555 (diff) | |
| download | nova-2c761066e0a2a3eaafa4919ec5102f68d401f050.tar.gz | |
Remove PROJECT_ADMIN limitation from zero-disk and external-network policy
In Ussuri, we added the PROJECT_ADMIN default policy for POST /servers
API in case of 1. forced_host 2. requested_destination 3. zero_disk_flavor
4. network_attach_external [1]. For 1st two we have the limitation of
project_admin to get the host name and pass it in POST /servers request.
But for last two (3. zero_disk_flavor, 4. network_attach_external) we do
not have such limitation:
3. zero disk flavor - This policy is checked to protect from the large image
and indicating the server should be volume-backed.
- https://github.com/openstack/nova/blob/c0c2888acaaccfa4266874523f62039cb9e143e0/nova/compute/api.py#L751
4. Attach an unshared external - It depends on neutron policy for
get external network. If user want to create server with net id then
they can get net id from neutron because neutron policy for GET external
network is SYSTEM_OR_PROJECT_READER[2]. Otherwise requested projects
(who is creating server) networks will be fetched from neutron[3]. so
with neutron default policy there is no limitation here.
[1]
https://github.com/openstack/nova/blob/cd084aeeb8a2110759912c1b529917a9d3aac555/nova/policies/servers.py#L189-L217
https://github.com/openstack/nova/blob/cd084aeeb8a2110759912c1b529917a9d3aac555/nova/policies/servers.py#L279-L314
[2] https://github.com/openstack/neutron/blob/0bdf3b56e0d4ede2d46eed09a4bb07dd3c00807d/neutron/conf>
[3] https://github.com/openstack/nova/blob/7cabd6dc40196aada7e9dba9382b8ae0c2a4bdb6/nova/network/ne>
Change-Id: Ibf45c02fae6f6b0b39dc4de206416f03c801351b
Diffstat (limited to 'nova/policies')
| -rw-r--r-- | nova/policies/servers.py | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/nova/policies/servers.py b/nova/policies/servers.py index eda3019fe5..54e5301fb9 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -266,16 +266,6 @@ validated by the scheduler filters unlike the scope_types=['project']), policy.DocumentedRuleDefault( name=ZERO_DISK_FLAVOR, - # TODO(gmann): We need to make it SYSTEM_ADMIN. - # PROJECT_ADMIN is added for now because create server - # policy is project scoped and there is no way to - # pass the project_id in request body for system scoped - # roles so that create server for other project with zero disk flavor. - # To achieve that, we need to update the create server API to - # accept the project_id for whom the server needs to be created - # and then change the scope of this policy to system-only - # Because that is API change it needs to be done with new - # microversion. check_str=base.PROJECT_ADMIN, description=""" This rule controls the compute API validation behavior of creating a server @@ -301,16 +291,6 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. scope_types=['system', 'project']), policy.DocumentedRuleDefault( name=NETWORK_ATTACH_EXTERNAL, - # TODO(gmann): We need to make it SYSTEM_ADMIN. - # PROJECT_ADMIN is added for now because create server - # policy is project scoped and there is no way to - # pass the project_id in request body for system scoped - # roles so that create server for other project or attach the - # external network. To achieve that, we need to update the - # create server API to accept the project_id for whom the - # server needs to be created and then change the scope of this - # policy to system-only Because that is API change it needs to - # be done with new microversion. check_str=base.PROJECT_ADMIN, description="Attach an unshared external network to a server", operations=[ |