openstack
/
nova
Code Issues Proposed changes
nova/api-ref/source
History
Matt Riedemann 8392c7f265 Add policy rule to block image-backed servers with 0 root disk flavor 
This adds a new policy rule which defaults to behave in a
backward compatible way, but will allow operators to enforce
that servers created with a zero disk flavor must also be
volume-backed servers.

Allowing users to upload their own images and create image-backed
servers on local disk with zero root disk size flavors can be
potentially hazardous if the size of the image is unexpectedly
large, since it can consume the local disk (or shared storage pool).

It should be noted that disabling the new policy rule will
result in a non-backward compatible API behavior change and no
microversion is being introduced for this because enforcement via
a new microversion would not close the security gap on any previous
microversions.

Related compute API reference and user documentation is updated
to mention the policy rule along with a release note since
this is tied to a security bug, which will be backported to stable
branches.

Conflicts:
      api-ref/source/parameters.yaml
      doc/source/admin/flavors2.rst
      nova/policies/servers.py
      nova/tests/functional/wsgi/test_servers.py

NOTE(mriedem): The api-ref/source/parameters.yaml conflict is due
to If646149efb7eec8c90bf7d07c39ff4c495349941 not being in Pike.
The doc/source/admin/flavors2.rst conflict is due to the doc
not being in Ocata - it was migrated from the central admin-guide
in Ifa0039e270e54ea2fb58ab18ce6724e5e8e061a1.
The nova/policies/servers.py conflict is due to two changes in Pike:
I17b6ca6e17c777ae7d337bf70ec4774ffe5187a8 and
I050c4f5f19aa79a682e076cc3e47eba597f272dd. The DocumentedRuleDefault
class was added to oslo.policy starting in 1.21.1 in Pike which is
newer than what stable/ocata supports in global-requirements so we
can't use it in this backport.
The nova/tests/functional/wsgi/test_servers.py conflict is due to
Ifcaaf285c8f98a1d0e8bbbc87b2f57fbce057346 and
I294c54e5a22dd6e5b226a4b00e7cd116813f0704 not being in Ocata.

Change-Id: Id67e1285a0522474844de130c9263e11868f67fb
Closes-Bug: #1739646
(cherry picked from commit 763fd62464)
(cherry picked from commit 7bcd581c78)
(cherry picked from commit 0bf75621bb)
 		2018-06-18 14:16:11 -04:00
..
conf.py Removes unnecessary utf-8 encoding 2016-12-20 10:27:01 +07:00
diagnostics.inc Merge "Add more description for rx and tx param" 2016-12-12 06:52:03 +00:00
extensions.inc Enable all extension for all remaining sample tests 2016-06-10 06:03:02 +00:00
flavors.inc Correct sort_key and sort_dir parameter for flavor 2016-09-13 08:28:26 +00:00
images.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
index.rst Replace "Openstack" with "OpenStack" 2016-12-22 23:15:37 +08:00
ips.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
limits.inc [proxy-api] microversion 2.39 deprecates image-metadata proxy API 2016-12-07 19:22:43 +03:00
metadata.inc api-ref: fix server_id in metadata docs 2016-11-12 12:15:04 -05:00
os-agents.inc api-ref: body verification of os-agents 2016-07-08 02:03:07 +00:00
os-aggregates.inc Return uuid attribute for aggregates 2017-01-05 14:32:43 -05:00
os-assisted-volume-snapshots.inc api-ref: unify the no response output in delete operation 2016-07-25 16:13:45 +08:00
os-availability-zone.inc api-ref: Fix a parameter in os-availability-zone.inc 2017-01-18 10:02:18 +00:00
os-baremetal-nodes.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-cells.inc Fix some typos 2016-06-13 13:44:53 +08:00
os-certificates.inc Trival fix typos in api-ref 2016-12-21 21:50:55 +08:00
os-cloudpipe.inc Complete verification for os-cloudpipe.inc 2016-09-14 07:06:06 +00:00
os-consoles.inc make 2.31 microversion wording better 2016-12-21 15:08:18 +08:00
os-fixed-ips.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-flavor-access.inc remove /v2.1/{tenant_id} from all urls 2016-06-03 08:47:33 -04:00
os-flavor-extra-specs.inc Add flavor extra_spec info link to api_ref 2016-11-10 06:10:14 +00:00
os-floating-ip-dns.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-floating-ip-pools.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-floating-ips-bulk.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-floating-ips.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-fping.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-hosts.inc remove /v2.1/{tenant_id} from all urls 2016-06-03 08:47:33 -04:00
os-hypervisors.inc api-ref: Fix path parameters in os-hypervisors.inc 2017-01-26 23:40:12 +00:00
os-instance-actions.inc Complete verification of os-instance-actions.inc 2016-07-26 02:53:42 +00:00
os-instance-usage-audit-log.inc api-ref: Fix description of os-instance-usage-audit-log 2016-12-14 11:22:50 -05:00
os-interface.inc Body verification of os-interface.inc 2016-07-06 16:54:46 +08:00
os-keypairs.inc api-ref: use the examples with paging links 2017-01-05 10:56:13 -05:00
os-migrations.inc remove /v2.1/{tenant_id} from all urls 2016-06-03 08:47:33 -04:00
os-networks.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-quota-sets.inc api-ref: Fix parameters and response in os-quota-sets.inc 2017-01-16 00:12:20 +00:00
os-security-group-default-rules.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-security-group-rules.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-security-groups.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
os-server-external-events.inc remove /v2.1/{tenant_id} from all urls 2016-06-03 08:47:33 -04:00
os-server-groups.inc api-ref: Fix parameters in os-server-groups.inc 2017-01-03 23:29:37 +00:00
os-server-password.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
os-server-tags.inc Stop allowing tags as empty string 2016-12-14 12:23:24 +00:00
os-services.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
os-simple-tenant-usage.inc Merge "api-ref: microversion 2.40 overview" 2017-01-06 13:20:10 +00:00
os-tenant-network.inc api-ref: add notes about POST/DELETE errors for os-tenant-networks 2016-12-29 16:44:22 -05:00
os-virtual-interfaces.inc api-ref: note that os-virtual-interfaces is nova-network only 2016-12-07 14:36:24 -05:00
os-volume-attachments.inc api-ref: Fix 'id' (attachment_id) parameters 2016-12-13 06:18:05 +00:00
os-volumes.inc Better wording for micorversion 2.36 2016-12-10 18:49:13 +08:00
parameters.yaml Add policy rule to block image-backed servers with 0 root disk flavor 2018-06-18 14:16:11 -04:00
server-migrations.inc api-ref: body verification for abort live migration 2016-11-16 09:48:10 -05:00
server-security-groups.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
servers-action-console-output.inc Add document update for get console usage 2016-12-20 21:18:05 +08:00
servers-action-crash-dump.inc remove /v2.1/{tenant_id} from all urls 2016-06-03 08:47:33 -04:00
servers-action-deferred-delete.inc remove /v2.1/{tenant_id} from all urls 2016-06-03 08:47:33 -04:00
servers-action-evacuate.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
servers-action-fixed-ip.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
servers-action-remote-consoles.inc api-ref: console types. 2016-06-14 15:58:32 +02:00
servers-action-shelve.inc API Ref: update server_id params 2016-11-11 14:01:51 -05:00
servers-actions.inc [proxy-api] microversion 2.39 deprecates image-metadata proxy API 2016-12-07 19:22:43 +03:00
servers-admin-action.inc Merge "correct misleading wording" 2017-01-06 17:48:23 +00:00
servers.inc Fix tag attribute disappearing in 2.33 and 2.37 2017-01-30 19:38:46 -05:00
urls.inc [api-ref] Minor text clean-up, formatting 2016-11-29 12:31:46 -05:00
versions.inc Trival fix typos in api-ref 2016-12-21 21:50:55 +08:00