RDP console was only for HyperV driver so removing the
API. As API url stay same (because same used for other
console types API), RDP console API will return 400.
Cleaning up the related config options as well as moving its
API ref to obsolete seciton.
Keeping RPC method to avoid error when old controller is used
with new compute. It can be removed in next RPC version bump.
Change-Id: I8f5755009da4af0d12bda096d7a8e85fd41e1a8c
This chnage adds the pre-commit config and
tox targets to run codespell both indepenetly
and via the pep8 target.
This change correct all the final typos in the
codebase as detected by codespell.
Change-Id: Ic4fb5b3a5559bc3c43aca0a39edc0885da58eaa2
this is the inital patch of applying codespell to nova.
codespell is a programing focused spellchecker that
looks for common typos and corrects them.
i am breaking this into multiple commits to make it simpler
to read and will automate the execution of codespell
at the end of the series.
Change-Id: If24a6c0a890f713545faa2d44b069c352655274e
We add a new specific policy when a host value is provided for cold-migrate,
but by default it will only be an admin-only rule in order to not change
the behaviour.
Change-Id: I128242d5f689fdd08d74b1dcba861177174753ff
Implements: blueprint cold-migrate-to-host-policy
This policy is missed to default to legacy admin in
- https://review.opendev.org/c/openstack/nova/+/849209
Making tenant network policy also default to PROJECT_READER_OR_ADMIN.
Change-Id: I1097d948f8c10ff99c54e8c369a7058ea14e6934
While discussing the new RBAC (scope_type and project admin vs
system admin things) with operators in berlin ops meetup and
via emails, and policy popup meetings, we got the feedback that
we need to keep the legacy admin behaviour same as it is otherwise
it is going to be a big breaking change for many of the operators.
Same feedback for scope_type.
- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback
By considering the feedback, we decided to postpone the
system scope implementation, release project reader
role and not to change the legacy admin behaviour.
To keep the legacy admin behaviour unchanged, we need to
modify our policy new default so that legacy admin continue
to have the access to the APIs they are able to access in
old RBAC. Basically the below changes:
- PROJECT_ADMIN -> ADMIN (legacy admin who can do things in all projects)
- PROJECT_MEMBER -> PROJECT_MEMBER_OR_ADMIN (give access to legacy admin too)
- PROJECT_READER -> PROJECT_READER_OR_ADMIN (give access to legacy admin too)
Complete direction on RBAC is updated in community wide goal
- https://review.opendev.org/c/openstack/governance/+/847418/13
Change-Id: I37e706f75a36fb27da1bdd5fba671cb1bcadc745
In line with the recent RBAC working group discussion and operator
feedback, this converts all our APIs back to project-only. It leaves
the actual scope_types in place, with them all set to project. This
allows an operator to turn on scope checking to *ensure* that only
project-scoped tokens are used, in case system scope is in use
elsewhere in the deployment (i.e. for keystone or ironic). Without
this, system scoped tokens will fail some operations in strange
(read: 500 and "database error") ways.
Change-Id: I951a11affa1d1e42863967cdc713618ff0a74814
This adds support to the REST API, in a new microversion, for specifying
a destination host to unshelve server action when the server
is shelved offloaded.
This patch also supports the ability to unpin the availability_zone of an
instance that is bound to it.
Note that the functional test changes are due to those tests using the
"latest" microversion 2.91.
Implements: blueprint unshelve-to-host
Change-Id: I9e95428c208582741e6cd99bd3260d6742fcc6b7
After moving the nova APIs policy as per the new guidlines
where system scoped token will be only allowed to access
system level APIs and will not be allowed any operation
on project level APIs. With that we do not need below
base rules (who have hardcoded 'system_scope:all' check_str):
- system_admin_api
- system_reader_api
- system_admin_or_owner
- system_or_project_reader
At this stage (phase-1 target), we allow below roles as targeted
in phase-1 [1]
1. ADMIN(this is System Administrator with scope_type 'system'
when scope enabled otherwise legacy admin)
2. PROJECT_ADMIN
3. PROJECT_MEMBER
4. PROJECT_READER
& below one specific to nova
5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader
to list flavor extra specs)
This complete the phase-1 of RBAC community-wide goal[2] for nova.
Add release notes too.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02
Flavor extra specs index policy is used to show flavor
extra specs in flavor as well as server APIs response.
As per RBAC new guidelines, we are restricting project level
respurces APIs to project scoped only. To do that, we are
separating the flavor extra specs index policy for server
APIs and make them only for project scoped.
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I9cfb61dabe6f98cb057aad9702f9d355c415fda6
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify remaining APIs as per the new guidelines.
Also, allow all project admin to list the other project limits. This is
what we allowed in legacy policy and until we have domain admin or other
way to list other project resources/info, we will keep that behaviour.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I006d47aa2f4678a06c78057bcf407302abbe4907
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify the server action APIs to be scoped
to project scope.
Fix the shelve-offload policy to pass the instance project
id as target.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I5293e9aa9cb3b48f97a5a2cf272939ada1aea2db
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify more projects level APIs to be scoped
to project only.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I6731aa6edd0c6bed5edb9eaaaa98b5e43aaeeb74
As per the new direction, we will move all the
system level policies to system admin even GET
policies. system reader will be added in next phase
in future cycle.
To dissociate the scope checks form the new defaults,
check_str is added as 'admin' rule (role:admin) without
'system:all'. So that policy with that admin rule and
scope_type as 'system' works like:
- with enforce_scope=false, legacy or project admin still able to
access the system level APIs.
- with enforce_scope=True, only system user with admin role can
access the system level APIs.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I344276d2ab054311a4b6c34c6998e116e7507246
This attempts to move us back to just allowing project-scoped tokens
for project resources when scope checking is enabled. It does it for
servers and flavor_extra_specs, since the latter depends on the policy
of the former.
There is a lot more churn in here than just that conversion, as I
added a helper method and moved from using two lists for everything to
one. Had I known I was going to do that initially, I would have done
it in a refactor first, but alas getting things to work ended up being
easier if I used that approach, and thus did them together. That could
be pulled out (with some effort) if people feel strongly about it,
but hopefully this can just set the base for going forward.
This also adds a new test scenario to both servers and extra_specs,
which validates that we can enable the new rules without scope
checking enabled.
Change-Id: I395d97558c36200a6f6ba7c804ab2a9ac5e51d04
Indicate that the 'os_compute_api:os-extended-server-attributes' will no
longer control visibility of the 'OS-EXT-SRV-ATTR:hostname' attribute in
a future release, following a deprecation period.
Change-Id: I981a3bdb6c2f11f294cbb01689cf927d216b2439
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Add microversion 2.90, which allows allows users to configure the
hostname that will be exposed via the nova metadata service when
creating their instance.
Change-Id: I95047c1689ac14fa73eba48e19dc438988b78aad
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.
[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538
Change-Id: Idbbc203c6ae65aee29f9463a4911bae2bb541f41
In Ussuri, we added the PROJECT_ADMIN default policy for POST /servers
API in case of 1. forced_host 2. requested_destination 3. zero_disk_flavor
4. network_attach_external [1]. For 1st two we have the limitation of
project_admin to get the host name and pass it in POST /servers request.
But for last two (3. zero_disk_flavor, 4. network_attach_external) we do
not have such limitation:
3. zero disk flavor - This policy is checked to protect from the large image
and indicating the server should be volume-backed.
- c0c2888aca/nova/compute/api.py (L751)
4. Attach an unshared external - It depends on neutron policy for
get external network. If user want to create server with net id then
they can get net id from neutron because neutron policy for GET external
network is SYSTEM_OR_PROJECT_READER[2]. Otherwise requested projects
(who is creating server) networks will be fetched from neutron[3]. so
with neutron default policy there is no limitation here.
[1]
cd084aeeb8/nova/policies/servers.py (L189-L217)cd084aeeb8/nova/policies/servers.py (L279-L314)
[2] 0bdf3b56e0/neutron/conf>
[3] 7cabd6dc40/nova/network/ne>
Change-Id: Ibf45c02fae6f6b0b39dc4de206416f03c801351b
This one is tied into an admin action in the server actions API, which
means we must remove that API action also. Otherwise, this isn't too
crazy.
Change-Id: I58343b94b67915062d044fa0f53aeab01b77738f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This was only useful with XenAPI and can therefore be removed.
Change-Id: I9512f605dd2b3b0e88c951ed086250d57056303d
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
1. Add testing context 'self.other_project_reader_context'
for remaining tests.
2. Replace REQUESTED_DESTINATION policy check_str with 'PROJECT_ADMIN'
so that it will easy to remove the deprecated RULE_ADMIN_API rule.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ibf88029af32376788134427be99d219784f8e333
This adds new defaults roles in FIP API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I6dcc8db9178aef59017968a3172ab463cd74754d
This adds new defaults roles in networks API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Idcccdf6b3a1638cf140b5c4f887abbed85c5d7dc
This adds scope_type and new defaults roles in extensions
API policies. These policies are for extensions API which are
kept only for backward compatibility of v2.0 but nova does not
have extensions concept now and return only hard-coded info. So
these policies are not made granular.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I062e556feb5cc85d179fed9b675e4ab33ca3365a
This adds new defaults roles in baremetal nodes API policies.
These policies are default to SYSTEM_READER and made more
granular to adopt the new defaults.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ieaad388d31fdabf0854bf7e2ed9fddf11f86bf8c
This adds new defaults roles in volumes API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I37fa825b0e915e83da7023564a29811dcdfa058d
This adds new defaults roles in hosts API policies.
These policies are made granular and default to
SYSTEM_READER and SYSTEM_ADMIN.
Also pass the actual targets which is empty dict in
hosts policy.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I159aaa37e1c238b484619a9951da7e63774024cb
This adds new defaults roles in security_groups API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ie1ea066e9683fc44d486bcde1eb0f01fca7645c7
This adds new defaults roles in tenant networks API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I9b7154680b19f76cb97a6c861657ca2f5cad0004
This adds new defaults roles in multinic API policies.
These policies are made granular and default to
PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I1b2c741e86431963fb4f0696509bed01351afac2