VMs and volumes can be accessed in a different tenant by a different user
Bug #1157042 reported by
Vincent Hou
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Invalid
|
Undecided
|
sandeep mane | ||
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
1. Set username=admin and tenant=admin, create a volume and a VM. Run "cinder list" and "nova list". Remember the volume-id and vm-id.
2. Switch to another user and tenant, run "cinder list" and "nova list". There is no volume or VM listed.
3. Since we have already known the volume-id and vm-id. It is possible to try all the commands which applies to volumes and VMs, like delete, attach, start, stop, reboot... Theoretically under a different user and tenant, we are not supposed to access the volume or the VM. However, we can do any operation we want, as long as we know the volume-id and VM-id.
Related blueprint: https:/
description: | updated |
Changed in nova: | |
status: | New → Triaged |
Changed in cinder: | |
status: | New → Incomplete |
To post a comment you must log in.
Hey Vincent,
So I'm not sure I follow this... I did a quick test to make sure I was right here:
I created two users in the same project (user-a and user-b);
Logged in as user-a and created a volume (made a note of the volume id)
Logged in as user-b and tried 'cinder delete xxxxxx'
The response to the delete command was "ERROR: No volume with a name or ID of '70694366- 65e0-4f41- 954d-301b6dd236 07' exists." as I would have expected.