230 lines
6.3 KiB
ReStructuredText
230 lines
6.3 KiB
ReStructuredText
..
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
License.
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
===============================================
|
|
Allow Project admin to list allowed hypervisors
|
|
===============================================
|
|
|
|
https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors
|
|
|
|
Allow Project admin to get the allowed hypervisors info so that
|
|
they can create a server to specify the host in ``POST /servers`` API.
|
|
|
|
Problem description
|
|
===================
|
|
|
|
Project admin can currently create a server on a specific hypervisor (via host
|
|
in the availability_zone field). However, project admin is not allowed to
|
|
`list the hypervisors`__ On the other hand, only system admins or system
|
|
readers can list hypervisors, but they cannot create a server on the project's
|
|
behalf because there is no way to pass the `project_id in POST /servers API`__.
|
|
This way, we make 'POST /servers with specific host' unusable unless the user
|
|
gives extra token permission to the project admin or system users.
|
|
|
|
__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/hypervisors.py#L37
|
|
__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/api/openstack/compute/schemas/servers.py#L149
|
|
|
|
|
|
Use Cases
|
|
---------
|
|
|
|
As a user (project admin currently and project manager in new RBAC), I should
|
|
be able to create the server on specific host which is assigned in that
|
|
project.
|
|
|
|
Proposed change
|
|
===============
|
|
Below are the three proposed changes:
|
|
|
|
#. ``GET /os-hypervisors`` API
|
|
|
|
Allow project admin to list ``uuid``, ``state``, and, ``status``
|
|
of the hypervisors they are assigned to. That will be retrieved from
|
|
aggregate metadata info (``filter_tenant_id``).
|
|
|
|
If the requested project is in ``filter_tenant_id`` then that host info will
|
|
be listed for project admin. If no project is listed in ``filter_tenant_id``
|
|
then return an empty list. Only below hypervisors' fields will be returned
|
|
for project admin, and the rest of the fields will be returned with value
|
|
as None.
|
|
|
|
* uuid
|
|
* state
|
|
* status
|
|
|
|
No change in returning the hypervisors list for System scoped users.
|
|
|
|
#. ``POST /servers`` API
|
|
|
|
``POST /servers`` API will start accepting hypervisor uuid in request field
|
|
to boot the server on that hypervisor. The existing field
|
|
``hypervisor_hostname`` is used to pass the hypervisor name and we will not
|
|
change that for existing use case. We will add a new field
|
|
``hypervisor_uuid`` in request so that user can pass hypervisor uuid. The
|
|
hypervisor uuid will be used to boot the server for for host with scheduler
|
|
run case.
|
|
|
|
#. Remove the legacy hack of passing the host and node in ``availability_zone``
|
|
request field. This will be removed for newer microversion only and keep it
|
|
same for older microversion.
|
|
|
|
This is legacy hack to force the server boot on requested host and node.
|
|
This one - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
|
|
Removing this legacy hack will standaradize the 'server boot on requested
|
|
host' request.
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
System users knowing the hypervisor info can switch to the project admin token
|
|
and boot server on specific host.
|
|
|
|
Data model impact
|
|
-----------------
|
|
|
|
None.
|
|
|
|
REST API impact
|
|
---------------
|
|
|
|
This change will be done with a microversion bump.
|
|
|
|
Below are the two APIs that will be changed:
|
|
|
|
``GET /os-hypervisors``
|
|
|
|
- Allow policy 'os_compute_api:os-hypervisors:list' to project admin also
|
|
(scope to system and project).
|
|
|
|
- Check if the requester is system user or project admin (via request context's
|
|
system_scope). For system users no change in API from what we have currently.
|
|
For project admin, return ``uuid``, ``state``, and ``status`` of
|
|
those hosts which are assigned to that project, and the rest of the fields
|
|
will be returned with value as None.
|
|
|
|
.. code-block::
|
|
|
|
{
|
|
"hypervisors": [
|
|
{
|
|
"hypervisor_hostname": None,
|
|
"id": "1bb62a04-c576-402c-8147-9e89757a09e3",
|
|
"state": "up",
|
|
"status": "enabled"
|
|
}
|
|
],
|
|
"hypervisors_links": None
|
|
}
|
|
|
|
``POST /servers``
|
|
|
|
- ``POST /servers`` API will start accepting hypervisor uuid in request field
|
|
to boot the server on that hypervisor. We will add a new field
|
|
``hypervisor_uuid`` in create server request so that user can pass uuid.
|
|
The hypervisor uuid will be used to boot the server for host with scheduler
|
|
run case.
|
|
|
|
- Remove the legacy hack of passing the host and node in ``availability_zone``
|
|
request field. For older microversions, it will keep working as it is working
|
|
currently. With this new microversion, only a valid AZ will be accepted in
|
|
``availability_zone`` field otherwise 404. Basically removing this legacy
|
|
hack - https://github.com/openstack/nova/blob/e28afc564700a1a35e3bf0269687d5734251b88a/nova/compute/api.py#L555-L561
|
|
|
|
|
|
Security impact
|
|
---------------
|
|
|
|
None. Already assigned host uuid name will be listed to project admin also.
|
|
|
|
Notifications impact
|
|
--------------------
|
|
|
|
None.
|
|
|
|
Other end user impact
|
|
---------------------
|
|
|
|
The nova api-ref will updated to reflect the changes.
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
None.
|
|
|
|
Other deployer impact
|
|
---------------------
|
|
|
|
None.
|
|
|
|
Developer impact
|
|
----------------
|
|
|
|
None.
|
|
|
|
Upgrade impact
|
|
--------------
|
|
|
|
Upgrade notes will be added for the new workflow of boot server on
|
|
specific host.
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
gmann
|
|
Other contributors:
|
|
None
|
|
|
|
Feature Liaison
|
|
---------------
|
|
|
|
Feature liaison:
|
|
None
|
|
|
|
Work Items
|
|
----------
|
|
|
|
- API changes with microversion
|
|
- Testing for the changes.
|
|
|
|
Dependencies
|
|
============
|
|
|
|
None.
|
|
|
|
Testing
|
|
=======
|
|
|
|
- Unit or functional testing for API change.
|
|
- Tempest test to boot server with hypervisor uuid.
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
The api-ref will be updated to reflect the changes.
|
|
|
|
References
|
|
==========
|
|
|
|
* https://etherpad.opendev.org/p/nova-xena-ptg
|
|
* https://review.opendev.org/c/openstack/nova-specs/+/779821
|
|
* https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/servers.py#L179
|
|
|
|
History
|
|
=======
|
|
|
|
.. list-table:: Revisions
|
|
:header-rows: 1
|
|
|
|
* - Release Name
|
|
- Description
|
|
* - Yoga
|
|
- Introduced
|
|
* - Zed
|
|
- Re-proposed
|