6.3 KiB
Allow Project admin to list allowed hypervisors
https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors
Allow Project admin to get the allowed hypervisors info so that they
can create a server to specify the host in POST /servers
API.
Problem description
Project admin can currently create a server on a specific hypervisor (via host in the availability_zone field). However, project admin is not allowed to list the hypervisors On the other hand, only system admins or system readers can list hypervisors, but they cannot create a server on the project's behalf because there is no way to pass the project_id in POST /servers API. This way, we make 'POST /servers with specific host' unusable unless the user gives extra token permission to the project admin or system users.
Use Cases
As a user (project admin currently and project manager in new RBAC), I should be able to create the server on specific host which is assigned in that project.
Proposed change
Below are the three proposed changes:
GET /os-hypervisors
APIAllow project admin to list
uuid
,state
, and,status
of the hypervisors they are assigned to. That will be retrieved from aggregate metadata info (filter_tenant_id
).If the requested project is in
filter_tenant_id
then that host info will be listed for project admin. If no project is listed infilter_tenant_id
then return an empty list. Only below hypervisors' fields will be returned for project admin, and the rest of the fields will be returned with value as None.- uuid
- state
- status
No change in returning the hypervisors list for System scoped users.
POST /servers
APIPOST /servers
API will start accepting hypervisor uuid in request field to boot the server on that hypervisor. The existing fieldhypervisor_hostname
is used to pass the hypervisor name and we will not change that for existing use case. We will add a new fieldhypervisor_uuid
in request so that user can pass hypervisor uuid. The hypervisor uuid will be used to boot the server for for host with scheduler run case.Remove the legacy hack of passing the host and node in
availability_zone
request field. This will be removed for newer microversion only and keep it same for older microversion.This is legacy hack to force the server boot on requested host and node. This one - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561 Removing this legacy hack will standaradize the 'server boot on requested host' request.
Alternatives
System users knowing the hypervisor info can switch to the project admin token and boot server on specific host.
Data model impact
None.
REST API impact
This change will be done with a microversion bump.
Below are the two APIs that will be changed:
GET /os-hypervisors
Allow policy 'os_compute_api:os-hypervisors:list' to project admin also (scope to system and project).
Check if the requester is system user or project admin (via request context's system_scope). For system users no change in API from what we have currently. For project admin, return
uuid
,state
, andstatus
of those hosts which are assigned to that project, and the rest of the fields will be returned with value as None.{ "hypervisors": [ { "hypervisor_hostname": None, "id": "1bb62a04-c576-402c-8147-9e89757a09e3", "state": "up", "status": "enabled" } ], "hypervisors_links": None }
POST /servers
POST /servers
API will start accepting hypervisor uuid in request field to boot the server on that hypervisor. We will add a new fieldhypervisor_uuid
in create server request so that user can pass uuid. The hypervisor uuid will be used to boot the server for host with scheduler run case.- Remove the legacy hack of passing the host and node in
availability_zone
request field. For older microversions, it will keep working as it is working currently. With this new microversion, only a valid AZ will be accepted inavailability_zone
field otherwise 404. Basically removing this legacy hack - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
Security impact
None. Already assigned host uuid name will be listed to project admin also.
Notifications impact
None.
Other end user impact
The nova api-ref will updated to reflect the changes.
Performance Impact
None.
Other deployer impact
None.
Developer impact
None.
Upgrade impact
Upgrade notes will be added for the new workflow of boot server on specific host.
Implementation
Assignee(s)
- Primary assignee:
-
gmann
- Other contributors:
-
None
Feature Liaison
- Feature liaison:
-
None
Work Items
- API changes with microversion
- Testing for the changes.
Dependencies
None.
Testing
- Unit or functional testing for API change.
- Tempest test to boot server with hypervisor uuid.
Documentation Impact
The api-ref will be updated to reflect the changes.
References
- https://etherpad.opendev.org/p/nova-xena-ptg
- https://review.opendev.org/c/openstack/nova-specs/+/779821
- https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/servers.py#L179
History
Release Name | Description |
---|---|
Yoga | Introduced |
Zed | Re-proposed |