openstack/charm-guide
Code Issues Proposed changes
Files
master
charm-guide/doc/source/admin/ops-show-extended-server-attributes.rst
Peter Matulis 8fe2da8152 Refactor policy overrides 
Split out a conceptual treatment as well as a tutorial
from the existing policy overrides howto page.

Make the remaining howto portion clearer, mostly in terms
of its headings.

Change-Id: I26d3fe83f7f44b7dc29a3431b8e6e590d97d0118
2023-07-17 11:19:46 -04:00

5.9 KiB
Raw Permalink Blame History

Show extended server attributes using policy overrides

This tutorial shows how to show extended server (VM) attributes using policy overrides. It involves changing the default policy affecting the nova-cloud-controller application.

Important

It is recommended to read through the howto document on policy-overrides prior to acting on the steps provided in this document.

Introduction

Ordinarily, when a non-admin user requests details for a cloud instance some fields are not shown. This is because some information is deemed inappropriate or too sensitive for the regular user. For instance, this is the (partial) default output to the openstack server show command:

echo $OS_USERNAME
User1

openstack server show 9167b3e9-c653-43fc-858a-2d6f6da36daa

+-----------------------------+----------------------------------------------------------+
| Field                       | Value                                                    |
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig           | MANUAL                                                   |
| OS-EXT-AZ:availability_zone | nova                                                     |
| OS-EXT-STS:power_state      | Running                                                  |
| OS-EXT-STS:task_state       | None                                                     |
| OS-EXT-STS:vm_state         | active                                                   |
| OS-SRV-USG:launched_at      | 2019-12-11T23:09:47.000000                               |
| OS-SRV-USG:terminated_at    | None                                                     |

Compare that output to what an admin sees:

echo $OS_USERNAME
admin

openstack server show 9167b3e9-c653-43fc-858a-2d6f6da36daa

+-------------------------------------+--------------------------------------------------+
| Field                               | Value                                            |
+-------------------------------------+--------------------------------------------------+
| OS-DCF:diskConfig                   | MANUAL                                           |
| OS-EXT-AZ:availability_zone         | nova                                             |
| OS-EXT-SRV-ATTR:host                | virt-node-01.maas                                |
| OS-EXT-SRV-ATTR:hypervisor_hostname | virt-node-01.maas                                |
| OS-EXT-SRV-ATTR:instance_name       | instance-00000001                                |
| OS-EXT-STS:power_state              | Running                                          |
| OS-EXT-STS:task_state               | None                                             |
| OS-EXT-STS:vm_state                 | active                                           |
| OS-SRV-USG:launched_at              | 2019-12-11T23:09:47.000000                       |
| OS-SRV-USG:terminated_at            | None                                             |

The admin user has three extra fields that are categorised as extended server attributes:

| OS-EXT-SRV-ATTR:host                | virt-node-01.maas                                |
| OS-EXT-SRV-ATTR:hypervisor_hostname | virt-node-01.maas                                |
| OS-EXT-SRV-ATTR:instance_name       | instance-00000001                                |

For some environments, such as an internal company cloud, the benefits of providing this information to users may outweigh any perceived concerns. For example, users will know immediately whether an announced hypervisor maintenance procedure will affect their running instances, providing that the announcement includes the hypervisor name.

Create the override file

To make this happen the default policy affecting the Nova API will need to be overridden to include the owner of the instance as well as the admin. The policy "target" that controls these particular fields is os_compute_api:os-extended-server-attributes.

The final policy statement is placed in a file, say, nova-server-attributes.yaml:

#"os_compute_api:os-extended-server-attributes": "rule:admin_api"
"os_compute_api:os-extended-server-attributes": "rule:admin_or_owner"

The default statement is left as a comment in order to provide some extra context.

Compress the override file

Compress the override file to get the resource file, here nova-server-attributes.yaml:

zip nova-server-attributes.zip nova-server-attributes.yaml

Attach the resource file to the application

Attach the resource file to the nova-cloud-controller application. The resource name used is always policyd-override:

juju attach-resource nova-cloud-controller policyd-override=nova-server-attributes.zip

Enable the override

Enable the override via the use-policyd-override charm option:

juju config nova-cloud-controller use-policyd-override=true

Result

Any non-admin user should now have access to three extra fields when querying the instances that they own with the openstack server show command.

More extended attributes can be displayed through the use of option --os-compute-api-version. For example:

openstack --os-compute-api-version 2.3 server show 9167b3e9-c653-43fc-858a-2d6f6da36daa

See the upstream documentation on Show Server Details.

View Git Blame Copy Permalink