admin GET on /servers should NOT return servers for all tenants
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
Low
|
Dan Prince | ||
Bug Description
By default, if you are an admin user and you perform a GET on /servers it will return a list of servers for all tenants (projects) in the system regardless of the tenant_id used in the URL.
This is problematic and can lead to confusion if a tenant alternate tenant ID is specified in the URL. This could be easily accomplished with bindings, novaclient, etc.
To reproduce do something like this...
1) Setup an installation with multiple users. One should be an adminstrator. The other can be a regular user.
2) Create servers in both accounts.
3) Configure novarc so that it uses the admin credentials /w the tenant ID of the normal user.
4) Do another 'nova list' and notice that servers for all tenants are still returned.
---
I'd like to see us add an 'all_tenants' filter option to the API so that we can maintain the existing behavior for OPS team members. This provides them the ability to search and query servers from multiple tenants from a single account.
However if the 'all_tenants' option isn't used we should restrain the API to the tenant_id that was specified in the URL.
| Changed in nova: | |
| importance: | Undecided → Low |
| status: | New → In Progress |
| assignee: | nobody → Dan Prince (dan-prince) |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to nova (master) | #1 |
| Dan Prince (dan-prince) wrote | #2 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to nova (master) | #3 |
| Changed in nova: | |
| status: | In Progress → Fix Committed |
| Changed in nova: | |
| milestone: | none → essex-4 |
| status: | Fix Committed → Fix Released |
| Changed in nova: | |
| milestone: | essex-4 → 2012.1 |
Fix proposed to branch: master
Review: https:/