Parameters for API policies to show a host status

Add NovaShowHostStatus parameter to allow custom policies for accessing the full/limited compute host statuses in the requested Nova server details. If enabled without further policy customization, it grants access to that information via the System/Project read only APIs. That shows the requested full or limited host status among the other Nova server details available for non-admins. Additional policies specified using NovaApiPolicies get merged with this customizable NovaApiHostStatusPolicy. The compute microversion of at lest 2.16 is required for that. It uses role:reader since Tripleo deployments won't be enforcing scope yet. Once it will be, we should use rule:system_or_project_reader. Change-Id: Ib70a0f0bfdf47eceeecf5e1336670e8575f46e36 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2021-11-02 10:44:45 +01:00 · 2021-11-02 10:44:45 +01:00 · 98af869942
commit 98af869942
parent 2e0bfcfc24
2 changed files with 60 additions and 0 deletions
--- a/deployment/nova/nova-api-container-puppet.yaml
+++ b/deployment/nova/nova-api-container-puppet.yaml
@ -262,6 +262,31 @@ parameters:
      NovaRestrictLiveMigration is enabled.
    default: 'live-migration'
    type: string
+  NovaShowHostStatus:
+    type: string
+    description: |
+      Allow overriding API policies to access the compute host status in the
+      requested Nova server details. The default value 'hidden' allows only admins to
+      access it. Setting it to 'all' ('unknown-only') without additional fine-grained
+      tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
+      to the system/project readers.
+    default: 'hidden'
+    constraints:
+      - allowed_values: ['all', 'unknown-only', 'hidden']
+  NovaApiHostStatusPolicy:
+    description: |
+      A custom API policy for os_compute_api:servers:show:host_status and
+      os_compute_api:servers:show:host_status:unknown-only.
+      These rules, or roles, replace the admins-only policies based on the given
+      NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
+      whenever a heartbeat was not received within the configured threshold, and
+      'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
+      details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
+      Additional policies specified using NovaApiPolicies get merged with this
+      policy.
+    # TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
+    default: 'role:reader'
+    type: string

 parameter_groups:
 - label: deprecated
@ -414,6 +439,22 @@ outputs:
                        params:
                           LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
                - {}
+              - if:
+                - equals:
+                  - {get_param: NovaShowHostStatus}
+                  - 'all'
+                - nova-host_status:
+                    key: 'os_compute_api:servers:show:host_status'
+                    value: {get_param: NovaApiHostStatusPolicy}
+                - {}
+              - if:
+                - equals:
+                  - {get_param: NovaShowHostStatus}
+                  - 'unknown-only'
+                - nova-host_status_unknown_only:
+                    key: 'os_compute_api:servers:show:host_status:unknown-only'
+                    value: {get_param: NovaApiHostStatusPolicy}
+                - {}
            nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
            nova_enable_db_purge: {get_param: NovaEnableDBPurge}
            nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
--- a/releasenotes/notes/nova_api_show_host_status-f0dfaf4c2b0c536f.yaml
+++ b/releasenotes/notes/nova_api_show_host_status-f0dfaf4c2b0c536f.yaml
@ -0,0 +1,19 @@
+---
+features:
+  - |
+    Add `NovaShowHostStatus` to allow overriding API policies to access the compute
+    host status in the requested Nova server details. The default value 'hidden'
+    allows only admins to access it. Setting it to 'all' ('unknown-only') without
+    additional fine-grained tuning of `NovaApiHostStatusPolicy` shows the full
+    (limited) `host_status` to the system/project readers.
+
+    Add `NovaApiHostStatusPolicy` that defines a custom API policy for
+    `os_compute_api:servers:show:host_status and
+    `os_compute_api:servers:show:host_status:unknown-only`.
+    These rules, or roles, replace the admins-only policies based on the given
+    `NovaShowHostStatus`: 'unknown-only' shows the limited host status UNKNOWN
+    whenever a heartbeat was not received within the configured threshold, and
+    'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
+    details. Finally, `NovaShowHostStatus`: 'hidden' puts it back being visible
+    only for admins. Additional policies specified using `NovaApiPolicies` get
+    merged with this policy.