OpenStack Dashboard (Horizon)

quotas do not work for users with admin role

Bug #1391242 reported by Eric Peterson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Undecided
Eric Peterson
OpenStack Dashboard (Horizon) 2015.1.0 "kilo"

Bug Description

If a user has the admin role, and it working in a particular project - some quota lookups look for items used globally, and do not make a tenant scoped api call.

For example:
https://github.com/openstack/horizon/blob/master/openstack_dashboard/usage/quotas.py#L303
This api call should be network_list_for_tenant(), instead of looking up all networks.

The same is true for routers as well.

Revision history for this message
Eric Peterson (ericpeterson-l) wrote :

It just so happens to work it you do not have the admin role, then the global lookups just stick to your project resources and you get lucky.

Revision history for this message
Gary W. Smith (gary-w-smith) wrote :

Looking at the code snippet, it seems like the two lines immediately after do the restriction to the tenant, but maybe I'm missing something. As a test, I created a new project with a large quota of ports, assigned the admin user to it, then changed my project back to 'demo' and went into the Access & Security / Allocate Floating IP / ALlocate IP to Project, and the quotas shown in the graph are correctly restricted to the 'demo' project.

Can you include in the bug description a way to illustrate/reproduce the problem?

Changed in horizon:
status: New → Incomplete
Revision history for this message
Eric Peterson (ericpeterson-l) wrote :

We have some users with the admin role, and globally lets say we have 23 networks. This user will then go into a project and try to launch a new instance. In the current project they are using - they have 1 network.

However, within horizon it say that create network is disabled as the user has exceeded quoatas. (23 used out of 20 limit lets say).

However, in the current project - there is only 1 network as we observe.

Gary W. Smith (gary-w-smith)
Changed in horizon:
status: Incomplete → New
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/137951

Changed in horizon:
assignee: nobody → Eric Peterson (ericpeterson-l)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/137951
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=f5b77f9a145337c22cf29d8017f5df67a6bacb7c
Submitter: Jenkins
Branch: master

commit f5b77f9a145337c22cf29d8017f5df67a6bacb7c
Author: eric <email address hidden>
Date: Sun Nov 30 07:03:20 2014 -0700

    Quotas for users with admin role do not work

    The quotas code does not isloate counts to resources within the
    current tenant/project. So if a user with the admin role makes
    calls for quota items, the admin role will have counts of a global
    list of resources. This changes that for the tenant quota call
    to fallback to the request.user.project_id if no project was
    otherwise specified for the tenant quota api call.

    Change-Id: Ib0e6ce7774c4c03686a044f233dbb9aa36dbe1b9
    Closes-bug: #1391242

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.