customized /etc/nova/policy.json for customized rule, but not working for some nova command

Solution In Progress - Updated -

Issue

  • /etc/nova/policy.json was updated with the following:
# diff policy.json policy.json.orig
3d2
<     "is_nfvadm":  "role:nfvadm",
112c111
<     "compute_extension:aggregates": "rule:admin_api or rule:is_nfvadm",
---
>     "compute_extension:aggregates": "rule:admin_api",
160c159
<     "compute_extension:hypervisors": "rule:admin_api or rule:is_nfvadm",
---
>     "compute_extension:hypervisors": "rule:admin_api",
286,287c285,286
<     "os_compute_api:os-aggregates:discoverable": "rule:admin_api or rule:is_nfvadm",
<     "os_compute_api:os-aggregates:index": "rule:admin_api or rule:is_nfvadm",
---
>     "os_compute_api:os-aggregates:discoverable": "",
>     "os_compute_api:os-aggregates:index": "rule:admin_api",
357c356
<     "os_compute_api:os-flavor-manage": "rule:admin_api or rule:is_nfvadm",
---
>     "os_compute_api:os-flavor-manage": "rule:admin_api",
373,376c372,375
<     "os_compute_api:os-hosts": "rule:admin_api or rule:is_nfvadm",
<     "os_compute_api:os-hosts:discoverable": "rule:admin_api or rule:is_nfvadm",
<     "os_compute_api:os-hypervisors": "rule:admin_api or rule:is_nfvadm",
<     "os_compute_api:os-hypervisors:discoverable": "rule:admin_or_owner or rule:is_nfvadm",
---
>     "os_compute_api:os-hosts": "rule:admin_api",
>     "os_compute_api:os-hosts:discoverable": "",
>     "os_compute_api:os-hypervisors": "rule:admin_api",
>     "os_compute_api:os-hypervisors:discoverable": "",
  • A new role was created and then granted the user test2 with nfvadm role
$ openstack role list --user test2 --project test
+----------------------------------+----------+---------+-------+
| ID                               | Name     | Project | User  |
+----------------------------------+----------+---------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | test    | test2 |
| 75930ab4414a4eca984242d36b4a6d4f | nfvadm   | test    | test2 |
+----------------------------------+----------+---------+-------+
  • The following commands still doesn't work in RHOSP 7 but do work with RHOSP 8
[root@host01 nova(keystone_test2)]# nova hypervisor-list
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-2a57857b-adfb-4d64-ae27-1321c4f6a548)
root@host01 nova(keystone_test2)]# nova hypervisor-servers 1
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-567a996b-223c-43b2-a950-0c7c7d41fff8)
[root@host01 nova(keystone_test2)]# nova hypervisor-uptime 1
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-b1731da7-ee8b-4b15-8a52-a6d8259e1882)
[root@host01 nova(keystone_test2)]# nova host-list
ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-074621d7-40b1-463e-8ef4-022cfe41af6e)
[root@host01 nova(keystone_test2)]# nova host-describe host02
ERROR (Forbidden): Describe-resource is admin only functionality (HTTP 403) (Request-ID: req-1aa82041-ea49-4655-8e36-c533fab10d71)

Environment

  • Red Hat OpenStack Platform 7.0 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content