nova policy overide (by quqi99)

2023-10-26

作者：张华发表于：2023-05-19
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

Problem

ExternalNetworkAttachForbidden will be thrown when non-admin user is using unshared external network

Reproduce the problem

./xxx.sh -s focal --name ovn --num-compute 1 --ovn --use-stable-charms --run
./configure

openstack domain create aaa_domain
openstack project create myproject --domain aaa_domain
openstack user create --project myproject --domain aaa_domain --password password user1
openstack role add --user user1 --project myproject --user-domain aaa_domain Member
openstack role assignment list --project myproject --name
export OS_REGION_NAME=RegionOne
export OS_AUTH_URL=https://10.5.0.52:5000/v3
export OS_PROJECT_DOMAIN_NAME=aaa_domain
export OS_USERNAME=user1
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PROJECT_NAME=myproject
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3

openstack network set --external private
$ openstack network show private |grep -E 'share|exter'
| router:external | External |
| shared | False |

juju config nova-cloud-controller use-policyd-override=false
openstack server create --wait --image jammy --flavor m1.small --key-name testkey --nic net-id=$(openstack network show private -cid -fvalue) i1

$ openstack server show i1 |grep fault
| fault | {'code': 500, 'created': '2023-05-17T05:58:50Z', 'message': 'Build of instance 9f7bbcaf-6f9f-481b-bfc3-1096b44b4dea aborted: Failed to allocate the network(s), not rescheduling.'} |

$ juju ssh nova-compute/0 -- grep -r 'ExternalNetworkAttachForbidden' /var/log/nova/ |tail -n1
Connection to 10.5.3.103 closed.
/var/log/nova/nova-compute.log:2023-05-17 05:58:49.684 12137 ERROR nova.compute.manager [instance: 9f7bbcaf-6f9f-481b-bfc3-1096b44b4dea] nova.exception.ExternalNetworkAttachForbidden: It is not allowed to create an interface on external network fc56660e-8595-44af-a7a8-36c79c1d199a

Using policy overide to fix it

the specified rules: “project_admin_api” and “project_member_api,” have been deprecated since Ussuri - https://github.com/openstack/nova/blob/dfda0c0482acf579452742860cec2bdd64ac616a/nova/policies/base.py#L23

juju config nova-cloud-controller use-policyd-override=false
cat <<EOF > /tmp/patched-override-file.yaml
"network:attach_external_network": "rule:system_admin_or_owner"
EOF
zip data.zip /tmp/patched-override-file.yaml
juju attach-resource nova-cloud-controller policyd-override=data.zip
juju config nova-cloud-controller use-policyd-override=true
juju list-resources nova-cloud-controller
juju debug-log --replay --no-tail --include nova-cloud-controller |grep 'policy.d overrides installed'

# on each n-c-c, verify the change
oslopolicy-policy-generator --namespace nova --output /tmp/policy.yaml
cat /tmp/policy.yaml |grep attach_external_network
#juju run -a nova-cloud-controller "oslopolicy-policy-generator --namespace nova --output /dev/stdout | grep attach_external_network"

或者不希望每个project下的member都能使用这个nonshared external network的话，可以用rbac解决：

openstack network rbac create --type network --action access_as_shared --target-project <project-id-want-to-share> <network-id>

Reference

[1] OpenStack Ussuri 版新特性: Nova功能分析 - https://www.codetd.com/article/11420952

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系:hwhale#tublm.com(使用前将#替换为@)

openstack

nova