OpenStack Dashboard (Horizon)

Networks of other projects are shown in VM launching menu when logged in as admin

Bug #1036153 reported by Akihiro Motoki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Akihiro Motoki
OpenStack Dashboard (Horizon) 2012.2 "folsom"

Bug Description

From https://review.openstack.org/#/c/10116/

Assuming that I logged in Horizon as a user with admin role, when launching an instance from project panel (nova/instances/launch), network owned by other tenants are listed in "Network" tab of "Launch Instance" pop-up.
Networks owned by the other tenants should not be listed in this tab.

If a network owned by other tenant is selected, 'Create Instance' action fails, because Nova cannot find the network for current tenant and returns this error:

Akihiro Motoki (amotoki)
Changed in horizon:
assignee: nobody → Akihiro Motoki (amotoki)
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

I would have to look to see whether this is the wrong token being used by the dashboard for that request or if it's bad scoping in Quantum, but either way this ought to be fixed.

Changed in horizon:
importance: Undecided → Medium
milestone: none → folsom-3
status: New → Confirmed
Revision history for this message
Akihiro Motoki (amotoki) wrote :

This bug is from bad scoping when getting network list from Quantum.
If the current user has admin role, quantum network_list() returns all networks on Quantum. Thus network_list() request should be narrowed by the current tenant_id: network_list(request, tenant_id=self.request.tenant.id).

I also confirmed that the token used by the dashboard is valid.

I will post the patch soon.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/11315

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/11315
Committed: http://github.com/openstack/horizon/commit/55319097cc628fe93df139e68310926c01656ccf
Submitter: Jenkins
Branch: master

commit 55319097cc628fe93df139e68310926c01656ccf
Author: Akihiro MOTOKI <email address hidden>
Date: Tue Aug 14 09:33:10 2012 +0900

    Specify tenant_id when retrieving network list from Quantum.

    Fixes bug 1036153

    If a user has admin role, network list returned by Quantum API contains
    networks that does not belong to that tenant. As a result networks owned
    by other tenants are listed in "Network" tab of "Launch Intance" menu.
    Thus we need to specify tenant_id when calling network_list() to
    retrieve only the networks available for the tenant.

    In addition this commit added a validation logic to syspanel instance
    launching workflow. It checks whether the owner tenant of the requested
    network(s) matches the tenant specified in the launching panel.

    Change-Id: Ieadf33f0a41247b126669f2f1f2c1d29be01e4e9

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.