diff --git a/nova/policies/servers.py b/nova/policies/servers.py index 597f210c2a11..f02a6e75f1e5 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -154,8 +154,7 @@ rules = [ ]), policy.DocumentedRuleDefault( ZERO_DISK_FLAVOR, - # TODO(mriedem): Default to RULE_ADMIN_API in Stein. - RULE_AOO, + base.RULE_ADMIN_API, """ This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed. @@ -170,9 +169,6 @@ if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details. - -This rule defaults to ``rule:admin_or_owner`` for backward compatibility but -will be changed to default to ``rule:admin_api`` in a subsequent release. """, [ { diff --git a/nova/tests/unit/compute/test_compute.py b/nova/tests/unit/compute/test_compute.py index 6efcfb56dd1d..74056c93f841 100644 --- a/nova/tests/unit/compute/test_compute.py +++ b/nova/tests/unit/compute/test_compute.py @@ -67,6 +67,7 @@ from nova.objects import block_device as block_device_obj from nova.objects import fields as obj_fields from nova.objects import instance as instance_obj from nova.objects import migrate_data as migrate_data_obj +from nova.policies import servers as servers_policy from nova import test from nova.tests import fixtures from nova.tests.unit.compute import eventlet_utils @@ -13340,6 +13341,9 @@ class CheckRequestedImageTestCase(test.TestCase): image, self.instance_type, None) def test_root_gb_zero_disables_size_check(self): + self.policy.set_rules({ + servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO + }, overwrite=False) self.instance_type['root_gb'] = 0 image = dict(id='123', status='active', size='1073741825') @@ -13347,6 +13351,9 @@ class CheckRequestedImageTestCase(test.TestCase): image, self.instance_type, None) def test_root_gb_zero_disables_min_disk(self): + self.policy.set_rules({ + servers_policy.ZERO_DISK_FLAVOR: servers_policy.RULE_AOO + }, overwrite=False) self.instance_type['root_gb'] = 0 image = dict(id='123', status='active', min_disk='2') diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index 5d00831c477f..1d804dd321b7 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -337,6 +337,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-quota-class-sets:update", "os_compute_api:os-server-external-events:create", "os_compute_api:os-volumes-attachments:update", +"os_compute_api:servers:create:zero_disk_flavor", "os_compute_api:servers:migrations:index", "os_compute_api:servers:migrations:show", ) @@ -374,7 +375,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:servers:create:attach_network", "os_compute_api:servers:create:attach_volume", "os_compute_api:servers:create:trusted_certs", -"os_compute_api:servers:create:zero_disk_flavor", "os_compute_api:servers:create_image", "os_compute_api:servers:delete", "os_compute_api:servers:detail", diff --git a/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml b/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml new file mode 100644 index 000000000000..e76921ecbba9 --- /dev/null +++ b/releasenotes/notes/default-zero-disk-flavor-to-admin-api-fd99e162812c2c7f.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The defalut value for policy rule + ``os_compute_api:servers:create:zero_disk_flavor`` has changed from + ``rule:admin_or_owner`` to ``rule:admin_api`` which means that by default, + users without the admin role will not be allowed to create servers using + a flavor with ``disk=0`` *unless* they are creating a volume-backed server. + If you have these kinds of flavors, you may need to take action or + temporarily override the policy rule. Refer to + `bug 1739646 `_ for more details.