Merge "Re-propose allow Project admin to list allowed hypervisors"

This commit is contained in:
Zuul 2022-05-10 12:47:52 +00:00 committed by Gerrit Code Review
commit 57c738320e
1 changed files with 229 additions and 0 deletions

View File

@ -0,0 +1,229 @@
..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
===============================================
Allow Project admin to list allowed hypervisors
===============================================
https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors
Allow Project admin to get the allowed hypervisors info so that
they can create a server to specify the host in ``POST /servers`` API.
Problem description
===================
Project admin can currently create a server on a specific hypervisor (via host
in the availability_zone field). However, project admin is not allowed to
`list the hypervisors`__ On the other hand, only system admins or system
readers can list hypervisors, but they cannot create a server on the project's
behalf because there is no way to pass the `project_id in POST /servers API`__.
This way, we make 'POST /servers with specific host' unusable unless the user
gives extra token permission to the project admin or system users.
__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/hypervisors.py#L37
__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/api/openstack/compute/schemas/servers.py#L149
Use Cases
---------
As a user (project admin currently and project manager in new RBAC), I should
be able to create the server on specific host which is assigned in that
project.
Proposed change
===============
Below are the three proposed changes:
#. ``GET /os-hypervisors`` API
Allow project admin to list ``uuid``, ``state``, and, ``status``
of the hypervisors they are assigned to. That will be retrieved from
aggregate metadata info (``filter_tenant_id``).
If the requested project is in ``filter_tenant_id`` then that host info will
be listed for project admin. If no project is listed in ``filter_tenant_id``
then return an empty list. Only below hypervisors' fields will be returned
for project admin, and the rest of the fields will be returned with value
as None.
* uuid
* state
* status
No change in returning the hypervisors list for System scoped users.
#. ``POST /servers`` API
``POST /servers`` API will start accepting hypervisor uuid in request field
to boot the server on that hypervisor. The existing field
``hypervisor_hostname`` is used to pass the hypervisor name and we will not
change that for existing use case. We will add a new field
``hypervisor_uuid`` in request so that user can pass hypervisor uuid. The
hypervisor uuid will be used to boot the server for for host with scheduler
run case.
#. Remove the legacy hack of passing the host and node in ``availability_zone``
request field. This will be removed for newer microversion only and keep it
same for older microversion.
This is legacy hack to force the server boot on requested host and node.
This one - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
Removing this legacy hack will standaradize the 'server boot on requested
host' request.
Alternatives
------------
System users knowing the hypervisor info can switch to the project admin token
and boot server on specific host.
Data model impact
-----------------
None.
REST API impact
---------------
This change will be done with a microversion bump.
Below are the two APIs that will be changed:
``GET /os-hypervisors``
- Allow policy 'os_compute_api:os-hypervisors:list' to project admin also
(scope to system and project).
- Check if the requester is system user or project admin (via request context's
system_scope). For system users no change in API from what we have currently.
For project admin, return ``uuid``, ``state``, and ``status`` of
those hosts which are assigned to that project, and the rest of the fields
will be returned with value as None.
.. code-block::
{
"hypervisors": [
{
"hypervisor_hostname": None,
"id": "1bb62a04-c576-402c-8147-9e89757a09e3",
"state": "up",
"status": "enabled"
}
],
"hypervisors_links": None
}
``POST /servers``
- ``POST /servers`` API will start accepting hypervisor uuid in request field
to boot the server on that hypervisor. We will add a new field
``hypervisor_uuid`` in create server request so that user can pass uuid.
The hypervisor uuid will be used to boot the server for host with scheduler
run case.
- Remove the legacy hack of passing the host and node in ``availability_zone``
request field. For older microversions, it will keep working as it is working
currently. With this new microversion, only a valid AZ will be accepted in
``availability_zone`` field otherwise 404. Basically removing this legacy
hack - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
Security impact
---------------
None. Already assigned host uuid name will be listed to project admin also.
Notifications impact
--------------------
None.
Other end user impact
---------------------
The nova api-ref will updated to reflect the changes.
Performance Impact
------------------
None.
Other deployer impact
---------------------
None.
Developer impact
----------------
None.
Upgrade impact
--------------
Upgrade notes will be added for the new workflow of boot server on
specific host.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
gmann
Other contributors:
None
Feature Liaison
---------------
Feature liaison:
None
Work Items
----------
- API changes with microversion
- Testing for the changes.
Dependencies
============
None.
Testing
=======
- Unit or functional testing for API change.
- Tempest test to boot server with hypervisor uuid.
Documentation Impact
====================
The api-ref will be updated to reflect the changes.
References
==========
* https://etherpad.opendev.org/p/nova-xena-ptg
* https://review.opendev.org/c/openstack/nova-specs/+/779821
* https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/servers.py#L179
History
=======
.. list-table:: Revisions
:header-rows: 1
* - Release Name
- Description
* - Yoga
- Introduced
* - Zed
- Re-proposed