Default zero disk flavor to RULE_ADMIN_API in Stein

The policy to allow booting instances without a volume when root_gb is set to 0 was to be set to default to admin-only in Stein. Depends-On: I537c299b0cd400982189f35b31df74755422737e Co-Authored-By: Matt Riedemann <mriedem.os@gmail.com> Related-Bug: #1739646 Change-Id: I247402b6c4ff8a7cb71ef247a218478194d68ff8
openstack · Dec 17, 2018 · c8e65a5 · c8e65a5
1 parent 22b15df
commit c8e65a5
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/nova/policies/servers.py b/nova/policies/servers.py
@@ -154,8 +154,7 @@
         ]),
     policy.DocumentedRuleDefault(
         ZERO_DISK_FLAVOR,
-        # TODO(mriedem): Default to RULE_ADMIN_API in Stein.
-        RULE_AOO,
+        base.RULE_ADMIN_API,
         """
 This rule controls the compute API validation behavior of creating a server
 with a flavor that has 0 disk, indicating the server should be volume-backed.
@@ -170,9 +169,6 @@
 create a disk=0 flavor instance with a large image can exhaust
 the local disk of the compute (or shared storage cluster). See bug
 https://bugs.launchpad.net/nova/+bug/1739646 for details.
-
-This rule defaults to ``rule:admin_or_owner`` for backward compatibility but
-will be changed to default to ``rule:admin_api`` in a subsequent release.
 """,
         [
             {

diff --git a/nova/tests/unit/compute/test_compute.py b/nova/tests/unit/compute/test_compute.py
@@ -67,6 +67,7 @@
 from nova.objects import fields as obj_fields
 from nova.objects import instance as instance_obj
 from nova.objects import migrate_data as migrate_data_obj
+from nova.policies import servers as servers_policy
 from nova import test
 from nova.tests import fixtures
 from nova.tests.unit.compute import eventlet_utils
@@ -13290,13 +13291,19 @@ def test_image_too_large(self):
                 image, self.instance_type, None)
 
     def test_root_gb_zero_disables_size_check(self):
+        self.policy.set_rules({
+            servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
+        }, overwrite=False)
         self.instance_type['root_gb'] = 0
         image = dict(id='123', status='active', size='1073741825')
 
         self.compute_api._check_requested_image(self.context, image['id'],
                 image, self.instance_type, None)
 
     def test_root_gb_zero_disables_min_disk(self):
+        self.policy.set_rules({
+            servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO
+        }, overwrite=False)
         self.instance_type['root_gb'] = 0
         image = dict(id='123', status='active', min_disk='2')
 

diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
@@ -338,6 +338,7 @@ def setUp(self):
 "os_compute_api:os-quota-class-sets:update",
 "os_compute_api:os-server-external-events:create",
 "os_compute_api:os-volumes-attachments:update",
+"os_compute_api:servers:create:zero_disk_flavor",
 "os_compute_api:servers:migrations:index",
 "os_compute_api:servers:migrations:show",
 )
@@ -375,7 +376,6 @@ def setUp(self):
 "os_compute_api:servers:create:attach_network",
 "os_compute_api:servers:create:attach_volume",
 "os_compute_api:servers:create:trusted_certs",
-"os_compute_api:servers:create:zero_disk_flavor",
 "os_compute_api:servers:create_image",
 "os_compute_api:servers:delete",
 "os_compute_api:servers:detail",

diff --git a/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml b/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The defalut value for policy rule
+    ``os_compute_api:servers:create:zero_disk_flavor`` has changed from
+    ``rule:admin_or_owner`` to ``rule:admin_api`` which means that by default,
+    users without the admin role will not be allowed to create servers using
+    a flavor with ``disk=0`` *unless* they are creating a volume-backed server.
+    If you have these kinds of flavors, you may need to take action or
+    temporarily override the policy rule. Refer to
+    `bug 1739646 <https://launchpad.net/bugs/1739646>`_ for more details.