From f2d8fc24a022605bbc071662cfe0783ccedcdaa8 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 4 May 2022 11:38:55 -0500 Subject: [PATCH] Re-propose allow Project admin to list allowed hypervisors One cleanup in it from what was proposed in yoga spec: - Removed the new policy requirement which I removed from 'REST API impact' section in yoga[1] but foget to cleanup that from Proposed section. [1] https://review.opendev.org/c/openstack/nova-specs/+/793011/5..7/specs/yoga/approved/allow-project-admin-list-hypervisors.rst#b127 Change-Id: I3cbb5cf194d46bd6a7d7a1338a07a73eb7a2af0b --- .../allow-project-admin-list-hypervisors.rst | 229 ++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 specs/zed/approved/allow-project-admin-list-hypervisors.rst diff --git a/specs/zed/approved/allow-project-admin-list-hypervisors.rst b/specs/zed/approved/allow-project-admin-list-hypervisors.rst new file mode 100644 index 000000000..2563a7158 --- /dev/null +++ b/specs/zed/approved/allow-project-admin-list-hypervisors.rst @@ -0,0 +1,229 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + http://creativecommons.org/licenses/by/3.0/legalcode + +=============================================== +Allow Project admin to list allowed hypervisors +=============================================== + +https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors + +Allow Project admin to get the allowed hypervisors info so that +they can create a server to specify the host in ``POST /servers`` API. + +Problem description +=================== + +Project admin can currently create a server on a specific hypervisor (via host +in the availability_zone field). However, project admin is not allowed to +`list the hypervisors`__ On the other hand, only system admins or system +readers can list hypervisors, but they cannot create a server on the project's +behalf because there is no way to pass the `project_id in POST /servers API`__. +This way, we make 'POST /servers with specific host' unusable unless the user +gives extra token permission to the project admin or system users. + +__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/hypervisors.py#L37 +__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/api/openstack/compute/schemas/servers.py#L149 + + +Use Cases +--------- + +As a user (project admin currently and project manager in new RBAC), I should +be able to create the server on specific host which is assigned in that +project. + +Proposed change +=============== +Below are the three proposed changes: + +#. ``GET /os-hypervisors`` API + + Allow project admin to list ``uuid``, ``state``, and, ``status`` + of the hypervisors they are assigned to. That will be retrieved from + aggregate metadata info (``filter_tenant_id``). + + If the requested project is in ``filter_tenant_id`` then that host info will + be listed for project admin. If no project is listed in ``filter_tenant_id`` + then return an empty list. Only below hypervisors' fields will be returned + for project admin, and the rest of the fields will be returned with value + as None. + + * uuid + * state + * status + + No change in returning the hypervisors list for System scoped users. + +#. ``POST /servers`` API + + ``POST /servers`` API will start accepting hypervisor uuid in request field + to boot the server on that hypervisor. The existing field + ``hypervisor_hostname`` is used to pass the hypervisor name and we will not + change that for existing use case. We will add a new field + ``hypervisor_uuid`` in request so that user can pass hypervisor uuid. The + hypervisor uuid will be used to boot the server for for host with scheduler + run case. + +#. Remove the legacy hack of passing the host and node in ``availability_zone`` + request field. This will be removed for newer microversion only and keep it + same for older microversion. + + This is legacy hack to force the server boot on requested host and node. + This one - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561 + Removing this legacy hack will standaradize the 'server boot on requested + host' request. + +Alternatives +------------ + +System users knowing the hypervisor info can switch to the project admin token +and boot server on specific host. + +Data model impact +----------------- + +None. + +REST API impact +--------------- + +This change will be done with a microversion bump. + +Below are the two APIs that will be changed: + +``GET /os-hypervisors`` + +- Allow policy 'os_compute_api:os-hypervisors:list' to project admin also + (scope to system and project). + +- Check if the requester is system user or project admin (via request context's + system_scope). For system users no change in API from what we have currently. + For project admin, return ``uuid``, ``state``, and ``status`` of + those hosts which are assigned to that project, and the rest of the fields + will be returned with value as None. + + .. code-block:: + + { + "hypervisors": [ + { + "hypervisor_hostname": None, + "id": "1bb62a04-c576-402c-8147-9e89757a09e3", + "state": "up", + "status": "enabled" + } + ], + "hypervisors_links": None + } + +``POST /servers`` + +- ``POST /servers`` API will start accepting hypervisor uuid in request field + to boot the server on that hypervisor. We will add a new field + ``hypervisor_uuid`` in create server request so that user can pass uuid. + The hypervisor uuid will be used to boot the server for host with scheduler + run case. + +- Remove the legacy hack of passing the host and node in ``availability_zone`` + request field. For older microversions, it will keep working as it is working + currently. With this new microversion, only a valid AZ will be accepted in + ``availability_zone`` field otherwise 404. Basically removing this legacy + hack - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561 + + +Security impact +--------------- + +None. Already assigned host uuid name will be listed to project admin also. + +Notifications impact +-------------------- + +None. + +Other end user impact +--------------------- + +The nova api-ref will updated to reflect the changes. + +Performance Impact +------------------ + +None. + +Other deployer impact +--------------------- + +None. + +Developer impact +---------------- + +None. + +Upgrade impact +-------------- + +Upgrade notes will be added for the new workflow of boot server on +specific host. + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + gmann +Other contributors: + None + +Feature Liaison +--------------- + +Feature liaison: + None + +Work Items +---------- + +- API changes with microversion +- Testing for the changes. + +Dependencies +============ + +None. + +Testing +======= + +- Unit or functional testing for API change. +- Tempest test to boot server with hypervisor uuid. + +Documentation Impact +==================== + +The api-ref will be updated to reflect the changes. + +References +========== + +* https://etherpad.opendev.org/p/nova-xena-ptg +* https://review.opendev.org/c/openstack/nova-specs/+/779821 +* https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/servers.py#L179 + +History +======= + +.. list-table:: Revisions + :header-rows: 1 + + * - Release Name + - Description + * - Yoga + - Introduced + * - Zed + - Re-proposed