VMs and volumes can be accessed in a different tenant by a different user
Bug #1157042 reported by
Vincent Hou
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
Invalid
|
Undecided
|
sandeep mane | ||
| OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
1. Set username=admin and tenant=admin, create a volume and a VM. Run "cinder list" and "nova list". Remember the volume-id and vm-id.
2. Switch to another user and tenant, run "cinder list" and "nova list". There is no volume or VM listed.
3. Since we have already known the volume-id and vm-id. It is possible to try all the commands which applies to volumes and VMs, like delete, attach, start, stop, reboot... Theoretically under a different user and tenant, we are not supposed to access the volume or the VM. However, we can do any operation we want, as long as we know the volume-id and VM-id.
Related blueprint: https:/
| description: | updated |
| Changed in nova: | |
| status: | New → Triaged |
Revision history for this message
| John Griffith (john-griffith) wrote | #1 |
| Changed in cinder: | |
| status: | New → Incomplete |
Revision history for this message
| sandeep mane (sandeep-mane) wrote | #2 |
| Changed in cinder: | |
| assignee: | nobody → sandeep mane (sandeep-mane) |
Revision history for this message
| Vincent Hou (houshengbo) wrote | #3 |
| Changed in cinder: | |
| status: | Incomplete → Invalid |
| Changed in nova: | |
| status: | Triaged → Invalid |
To post a comment you must log in.
Hey Vincent,
So I'm not sure I follow this... I did a quick test to make sure I was right here:
I created two users in the same project (user-a and user-b);
Logged in as user-a and created a volume (made a note of the volume id)
Logged in as user-b and tried 'cinder delete xxxxxx'
The response to the delete command was "ERROR: No volume with a name or ID of '70694366-