customized /etc/nova/policy.json for customized rule, but not working for some nova command
Issue
- /etc/nova/policy.json was updated with the following:
# diff policy.json policy.json.orig
3d2
< "is_nfvadm": "role:nfvadm",
112c111
< "compute_extension:aggregates": "rule:admin_api or rule:is_nfvadm",
---
> "compute_extension:aggregates": "rule:admin_api",
160c159
< "compute_extension:hypervisors": "rule:admin_api or rule:is_nfvadm",
---
> "compute_extension:hypervisors": "rule:admin_api",
286,287c285,286
< "os_compute_api:os-aggregates:discoverable": "rule:admin_api or rule:is_nfvadm",
< "os_compute_api:os-aggregates:index": "rule:admin_api or rule:is_nfvadm",
---
> "os_compute_api:os-aggregates:discoverable": "",
> "os_compute_api:os-aggregates:index": "rule:admin_api",
357c356
< "os_compute_api:os-flavor-manage": "rule:admin_api or rule:is_nfvadm",
---
> "os_compute_api:os-flavor-manage": "rule:admin_api",
373,376c372,375
< "os_compute_api:os-hosts": "rule:admin_api or rule:is_nfvadm",
< "os_compute_api:os-hosts:discoverable": "rule:admin_api or rule:is_nfvadm",
< "os_compute_api:os-hypervisors": "rule:admin_api or rule:is_nfvadm",
< "os_compute_api:os-hypervisors:discoverable": "rule:admin_or_owner or rule:is_nfvadm",
---
> "os_compute_api:os-hosts": "rule:admin_api",
> "os_compute_api:os-hosts:discoverable": "",
> "os_compute_api:os-hypervisors": "rule:admin_api",
> "os_compute_api:os-hypervisors:discoverable": "",
- A new role was created and then granted the user test2 with nfvadm role
$ openstack role list --user test2 --project test
+----------------------------------+----------+---------+-------+
| ID | Name | Project | User |
+----------------------------------+----------+---------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | test | test2 |
| 75930ab4414a4eca984242d36b4a6d4f | nfvadm | test | test2 |
+----------------------------------+----------+---------+-------+
- The following commands still doesn't work in RHOSP 7 but do work with RHOSP 8
[root@host01 nova(keystone_test2)]# nova hypervisor-list
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-2a57857b-adfb-4d64-ae27-1321c4f6a548)
root@host01 nova(keystone_test2)]# nova hypervisor-servers 1
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-567a996b-223c-43b2-a950-0c7c7d41fff8)
[root@host01 nova(keystone_test2)]# nova hypervisor-uptime 1
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-b1731da7-ee8b-4b15-8a52-a6d8259e1882)
[root@host01 nova(keystone_test2)]# nova host-list
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-074621d7-40b1-463e-8ef4-022cfe41af6e)
[root@host01 nova(keystone_test2)]# nova host-describe host02
ERROR (Forbidden): Describe-resource is admin only functionality (HTTP 403) (Request-ID: req-1aa82041-ea49-4655-8e36-c533fab10d71)
Environment
- Red Hat OpenStack Platform 7.0 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.