Merge "Default zero disk flavor to RULE_ADMIN_API in Stein"

This commit is contained in:
Zuul 2019-02-15 02:18:05 +00:00 committed by Gerrit Code Review
commit c49d8eeae5
4 changed files with 20 additions and 6 deletions

View File

@ -154,8 +154,7 @@ rules = [
]),
policy.DocumentedRuleDefault(
ZERO_DISK_FLAVOR,
# TODO(mriedem): Default to RULE_ADMIN_API in Stein.
RULE_AOO,
base.RULE_ADMIN_API,
"""
This rule controls the compute API validation behavior of creating a server
with a flavor that has 0 disk, indicating the server should be volume-backed.
@ -170,9 +169,6 @@ if users can upload their own images since repeated attempts to
create a disk=0 flavor instance with a large image can exhaust
the local disk of the compute (or shared storage cluster). See bug
https://bugs.launchpad.net/nova/+bug/1739646 for details.
This rule defaults to ``rule:admin_or_owner`` for backward compatibility but
will be changed to default to ``rule:admin_api`` in a subsequent release.
""",
[
{

View File

@ -67,6 +67,7 @@ from nova.objects import block_device as block_device_obj
from nova.objects import fields as obj_fields
from nova.objects import instance as instance_obj
from nova.objects import migrate_data as migrate_data_obj
from nova.policies import servers as servers_policy
from nova import test
from nova.tests import fixtures
from nova.tests.unit.compute import eventlet_utils
@ -13340,6 +13341,9 @@ class CheckRequestedImageTestCase(test.TestCase):
image, self.instance_type, None)
def test_root_gb_zero_disables_size_check(self):
self.policy.set_rules({
servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
}, overwrite=False)
self.instance_type['root_gb'] = 0
image = dict(id='123', status='active', size='1073741825')
@ -13347,6 +13351,9 @@ class CheckRequestedImageTestCase(test.TestCase):
image, self.instance_type, None)
def test_root_gb_zero_disables_min_disk(self):
self.policy.set_rules({
servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
}, overwrite=False)
self.instance_type['root_gb'] = 0
image = dict(id='123', status='active', min_disk='2')

View File

@ -337,6 +337,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:os-quota-class-sets:update",
"os_compute_api:os-server-external-events:create",
"os_compute_api:os-volumes-attachments:update",
"os_compute_api:servers:create:zero_disk_flavor",
"os_compute_api:servers:migrations:index",
"os_compute_api:servers:migrations:show",
)
@ -374,7 +375,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
"os_compute_api:servers:create:attach_network",
"os_compute_api:servers:create:attach_volume",
"os_compute_api:servers:create:trusted_certs",
"os_compute_api:servers:create:zero_disk_flavor",
"os_compute_api:servers:create_image",
"os_compute_api:servers:delete",
"os_compute_api:servers:detail",

View File

@ -0,0 +1,11 @@
---
upgrade:
- |
The defalut value for policy rule
``os_compute_api:servers:create:zero_disk_flavor`` has changed from
``rule:admin_or_owner`` to ``rule:admin_api`` which means that by default,
users without the admin role will not be allowed to create servers using
a flavor with ``disk=0`` *unless* they are creating a volume-backed server.
If you have these kinds of flavors, you may need to take action or
temporarily override the policy rule. Refer to
`bug 1739646 <https://launchpad.net/bugs/1739646>`_ for more details.