Merge "Re-propose allow Project admin to list allowed hypervisors"
This commit is contained in:
commit
57c738320e
|
@ -0,0 +1,229 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===============================================
|
||||
Allow Project admin to list allowed hypervisors
|
||||
===============================================
|
||||
|
||||
https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors
|
||||
|
||||
Allow Project admin to get the allowed hypervisors info so that
|
||||
they can create a server to specify the host in ``POST /servers`` API.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Project admin can currently create a server on a specific hypervisor (via host
|
||||
in the availability_zone field). However, project admin is not allowed to
|
||||
`list the hypervisors`__ On the other hand, only system admins or system
|
||||
readers can list hypervisors, but they cannot create a server on the project's
|
||||
behalf because there is no way to pass the `project_id in POST /servers API`__.
|
||||
This way, we make 'POST /servers with specific host' unusable unless the user
|
||||
gives extra token permission to the project admin or system users.
|
||||
|
||||
__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/hypervisors.py#L37
|
||||
__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/api/openstack/compute/schemas/servers.py#L149
|
||||
|
||||
|
||||
Use Cases
|
||||
---------
|
||||
|
||||
As a user (project admin currently and project manager in new RBAC), I should
|
||||
be able to create the server on specific host which is assigned in that
|
||||
project.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
Below are the three proposed changes:
|
||||
|
||||
#. ``GET /os-hypervisors`` API
|
||||
|
||||
Allow project admin to list ``uuid``, ``state``, and, ``status``
|
||||
of the hypervisors they are assigned to. That will be retrieved from
|
||||
aggregate metadata info (``filter_tenant_id``).
|
||||
|
||||
If the requested project is in ``filter_tenant_id`` then that host info will
|
||||
be listed for project admin. If no project is listed in ``filter_tenant_id``
|
||||
then return an empty list. Only below hypervisors' fields will be returned
|
||||
for project admin, and the rest of the fields will be returned with value
|
||||
as None.
|
||||
|
||||
* uuid
|
||||
* state
|
||||
* status
|
||||
|
||||
No change in returning the hypervisors list for System scoped users.
|
||||
|
||||
#. ``POST /servers`` API
|
||||
|
||||
``POST /servers`` API will start accepting hypervisor uuid in request field
|
||||
to boot the server on that hypervisor. The existing field
|
||||
``hypervisor_hostname`` is used to pass the hypervisor name and we will not
|
||||
change that for existing use case. We will add a new field
|
||||
``hypervisor_uuid`` in request so that user can pass hypervisor uuid. The
|
||||
hypervisor uuid will be used to boot the server for for host with scheduler
|
||||
run case.
|
||||
|
||||
#. Remove the legacy hack of passing the host and node in ``availability_zone``
|
||||
request field. This will be removed for newer microversion only and keep it
|
||||
same for older microversion.
|
||||
|
||||
This is legacy hack to force the server boot on requested host and node.
|
||||
This one - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
|
||||
Removing this legacy hack will standaradize the 'server boot on requested
|
||||
host' request.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
System users knowing the hypervisor info can switch to the project admin token
|
||||
and boot server on specific host.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
This change will be done with a microversion bump.
|
||||
|
||||
Below are the two APIs that will be changed:
|
||||
|
||||
``GET /os-hypervisors``
|
||||
|
||||
- Allow policy 'os_compute_api:os-hypervisors:list' to project admin also
|
||||
(scope to system and project).
|
||||
|
||||
- Check if the requester is system user or project admin (via request context's
|
||||
system_scope). For system users no change in API from what we have currently.
|
||||
For project admin, return ``uuid``, ``state``, and ``status`` of
|
||||
those hosts which are assigned to that project, and the rest of the fields
|
||||
will be returned with value as None.
|
||||
|
||||
.. code-block::
|
||||
|
||||
{
|
||||
"hypervisors": [
|
||||
{
|
||||
"hypervisor_hostname": None,
|
||||
"id": "1bb62a04-c576-402c-8147-9e89757a09e3",
|
||||
"state": "up",
|
||||
"status": "enabled"
|
||||
}
|
||||
],
|
||||
"hypervisors_links": None
|
||||
}
|
||||
|
||||
``POST /servers``
|
||||
|
||||
- ``POST /servers`` API will start accepting hypervisor uuid in request field
|
||||
to boot the server on that hypervisor. We will add a new field
|
||||
``hypervisor_uuid`` in create server request so that user can pass uuid.
|
||||
The hypervisor uuid will be used to boot the server for host with scheduler
|
||||
run case.
|
||||
|
||||
- Remove the legacy hack of passing the host and node in ``availability_zone``
|
||||
request field. For older microversions, it will keep working as it is working
|
||||
currently. With this new microversion, only a valid AZ will be accepted in
|
||||
``availability_zone`` field otherwise 404. Basically removing this legacy
|
||||
hack - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None. Already assigned host uuid name will be listed to project admin also.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
The nova api-ref will updated to reflect the changes.
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
Upgrade impact
|
||||
--------------
|
||||
|
||||
Upgrade notes will be added for the new workflow of boot server on
|
||||
specific host.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
gmann
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Feature Liaison
|
||||
---------------
|
||||
|
||||
Feature liaison:
|
||||
None
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
- API changes with microversion
|
||||
- Testing for the changes.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Unit or functional testing for API change.
|
||||
- Tempest test to boot server with hypervisor uuid.
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
The api-ref will be updated to reflect the changes.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
* https://etherpad.opendev.org/p/nova-xena-ptg
|
||||
* https://review.opendev.org/c/openstack/nova-specs/+/779821
|
||||
* https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/servers.py#L179
|
||||
|
||||
History
|
||||
=======
|
||||
|
||||
.. list-table:: Revisions
|
||||
:header-rows: 1
|
||||
|
||||
* - Release Name
|
||||
- Description
|
||||
* - Yoga
|
||||
- Introduced
|
||||
* - Zed
|
||||
- Re-proposed
|
Loading…
Reference in New Issue