How to add permission to Member User to view server attributes?

Solution Verified - Updated -

Environment

  • Red Hat OpenStack Platform 16.1

Issue

  • To see server attribute values in openstack server show <uuid> output using member role.

Resolution

Procedure for making policy file changes (controller nodes).

  • Generate nova policy file:

    # podman exec nova_api oslopolicy-policy-generator  --config-file /etc/nova/nova.conf --namespace nova > policy.json

  • Copy the generated policy.json file

    # cp policy.json /var/lib/config-data/puppet-generated/nova/etc/nova/

  • Make sure the below line is present in the file, if not add it.

    # sudo egrep  "os_compute_api:os-extended-server-attributes" /var/lib/config-data/puppet-generated/nova/etc/nova/policy.json                
"os_compute_api:os-extended-server-attributes": "rule:admin_or_owner"

  • Restart the nova-api container

    # podman restart nova_api

  • Copy the policy.json file to other controllers at the same location.

Root Cause

  • By default, the user with member role doesn't have privileges to list the server attributes in openstack server show <uuid> output.

Diagnostic Steps

  • User with member role:

    (overcloud) [stack@undercloud ~]$ openstack role assignment list --user test --name
+--------+---------------+-------+---------------+--------+--------+-----------+
| Role   | User          | Group | Project       | Domain | System | Inherited |
+--------+---------------+-------+---------------+--------+--------+-----------+
| member | test@Default  |       | admin@Default |        |        | False     |

  • For member role, the default server show output doesn't show the server attributes:

    | OS-DCF:diskConfig           | MANUAL                                                                             |
| OS-EXT-AZ:availability_zone | nova                                                                               |
| OS-EXT-STS:power_state      | NOSTATE                                                                            |
| OS-EXT-STS:task_state       | None                                                                               |
| OS-EXT-STS:vm_state         | stopped                                                                            |
| OS-SRV-USG:launched_at      | 2021-06-16T07:38:11.000000                                                         |
| OS-SRV-USG:terminated_at    | None                                                                               |

  • For member role, the server show output shows the server attributes after modifying the nova custom policy.

    | OS-EXT-SRV-ATTR:host                | overcloud-novacomputeiha-0.localdomain  |
| OS-EXT-SRV-ATTR:hostname            | stack1-server-swo5tstxcjxb              |
| OS-EXT-SRV-ATTR:hypervisor_hostname | overcloud-novacomputeiha-0.localdomain  |
| OS-EXT-SRV-ATTR:instance_name       | instance-00000100                       |
| OS-EXT-SRV-ATTR:kernel_id           |                                         |
| OS-EXT-SRV-ATTR:launch_index        | 0                                       |
| OS-EXT-SRV-ATTR:ramdisk_id          |                                         |
| OS-EXT-SRV-ATTR:reservation_id      | r-tdm70r62                              |
| OS-EXT-SRV-ATTR:root_device_name    | /dev/vda                                |
| OS-EXT-SRV-ATTR:user_data           |                                         |

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments