While running Tempest internally, I've discovered the following test was failing:
tempest.scenario.test_volume_migrate_attached.TestVolumeMigrateRetypeAttached.test_volume_migrate_attached[compute,id-deadd2c2-beef-4dce-98be-f86765ff311b,slow,volume]
Upon further debugging, I've discovered that cinder-volume has the following traceback:
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server [req-7b3d3148-cdbb-485d-9dd4-3ff7a24e59ad 7088d6afa8a44ef386333b30ff6d62e0 ef87e48ff4604c6aabdead43ca5cb6ca - default default] Exception during message handling: Forbidden: Policy doesn't allow os_compute_api:os-volumes-attachments:update to be performed. (HTTP 403) (Request-ID: req-d5fb2992-48ba-4459-a214-f2cceb8bb0ac)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server Traceback (most recent call last):
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_messaging/rpc/server.py", line 160, in _process_incoming
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server res = self.dispatcher.dispatch(message)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 213, in dispatch
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server return self._do_dispatch(endpoint, method, ctxt, args)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 183, in _do_dispatch
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server result = func(ctxt, **new_args)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/volume/manager.py", line 2745, in retype
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server new_reservations, status_update)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server self.force_reraise()
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server six.reraise(self.type_, self.value, self.tb)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/volume/manager.py", line 2741, in retype
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server new_type_id=new_type_id)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/volume/manager.py", line 2348, in migrate_volume
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server volume.save()
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server self.force_reraise()
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server six.reraise(self.type_, self.value, self.tb)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/volume/manager.py", line 2341, in migrate_volume
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server self._migrate_volume_generic(ctxt, volume, host, new_type_id)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/volume/manager.py", line 2107, in _migrate_volume_generic
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server new_volume)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server self.force_reraise()
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server six.reraise(self.type_, self.value, self.tb)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/volume/manager.py", line 2100, in _migrate_volume_generic
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server new_volume.id)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/cinder/compute/nova.py", line 217, in update_server_volume
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server new_volume_id)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/novaclient/v2/volumes.py", line 97, in update_server_volume
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server body, "volumeAttachment")
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/novaclient/base.py", line 375, in _update
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server resp, body = self.api.client.put(url, body=body)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 297, in put
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server return self.request(url, 'PUT', **kwargs)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server File "/openstack/venvs/pike/lib/python2.7/site-packages/novaclient/client.py", line 83, in request
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server raise exceptions.from_response(resp, body, url, method)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server Forbidden: Policy doesn't allow os_compute_api:os-volumes-attachments:update to be performed. (HTTP 403) (Request-ID: req-d5fb2992-48ba-4459-a214-f2cceb8bb0ac)
2017-12-29 20:38:01.565 32587 ERROR oslo_messaging.rpc.server
2017-12-29 20:38:01.661 32585 INFO cinder.volume.manager [req-7b3d3148-cdbb-485d-9dd4-3ff7a24e59ad 7088d6afa8a44ef386333b30ff6d62e0 ef87e48ff4604c6aabdead43ca5cb6ca - default default] Deleted volume successfully.
Upon further checks, I've found out that during the retype process, it can fallback to migrating the volume in the event that it is not able to retype. In the migrate process, the notification of swapping the volume is sent with the same auth credentials of the user that requested this (which isn't an admin) and it fails.
I'm not sure if Nova's policy should be adjusted for this, or if Cinder should send the request with elevated context, but I believe that's where the issue stands.
yes, with migration_policy as 'on-demand'(this is what test do) it has to be admin user. This is fixed in your patch - https:/ /review. openstack. org/#/c/ 530508/
Also i am much interested to test retype with migration_policy as 'never' so that we can check the auth behavior in retype operation. That should be success with non admin user. Let's add that test also.