Cinder

Admin cannot show/set quotas in projects where they are not a member or in hierarchy

Bug #1597045 reported by Matt Fischer
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Nate Potter
Nominated for Mitaka by Scott DAngelo

Bug Description

Per the ML thread [1] and IRC conversation the cinder team asked me to file this bug.

After upgrading Keystone from Liberty to Mitaka, we can no longer show or modify cinder quotas as admin unless have a token scoped to the project we're modifying. This is a new limitation and causes a number of operational challenges when using the CLI or Horizon. Now we'll have to add ourselves to every project in which we want to change or even view cinder quotas. For non-admin users this might make sense, but not for admin users.

This is the specific error:

ERROR: Show operations can only be made to projects in the same hierarchy of the project in which users are scoped to. (HTTP 403)

more details:

On Liberty Keystone, projects seem to lack parents:

<Project description=Admin Tenant, domain_id=default, enabled=True,
id=9e839870dd0d4a2f96f9d71b7e7c5a4e, is_domain=False, links={u'self': u'
https://liberty-endpoint:5000/v3/projects/9e839870dd0d4a2f96f9d71b7e7c5a4e'},
name=admin, parent_id=None, subtree=None>

In Mitaka, it seems that projects are children of the default domain:

<Project description=Admin Tenant, domain_id=default, enabled=True,
id=4764ba822ecb43e582794b875751924c, is_domain=False, links={u'self': u'
http://mitaka-endpoint:5000/v3/projects/4764ba822ecb43e582794b875751924c'},
name=admin, parent_id=default, subtree=None>

In Liberty since all projects were parentless, the authorize_* code blocks
were skipped since both conditionals were false:

https://github.com/openstack/cinder/blob/stable/liberty/cinder/api/contrib/quotas.py#L174-L191

But now in Mitaka, the code is run, and it fails out since the projects are
"brothers", both with the parent of the default domain, but not
hierarchically related.

When this is fixed if possible a backport to Mitaka would be very helpful.

[1] - http://lists.openstack.org/pipermail/openstack-dev/2016-June/098255.html

Matt Fischer (mfisch)
summary: - Admin cannot show/set quotas in projects where they are not a member
+ Admin cannot show/set quotas in projects where they are not a member or
+ in hierarchy
Nate Potter (ntpttr)
Changed in cinder:
assignee: nobody → Nate Potter (ntpttr)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/335634

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/335634
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=a0a04f4332a609e854f2e67e3e9e9b723197b584
Submitter: Jenkins
Branch: master

commit a0a04f4332a609e854f2e67e3e9e9b723197b584
Author: Nate Potter <email address hidden>
Date: Wed Jun 29 19:59:46 2016 +0000

    Allow admin project to operate on all quotas

    Currently when operating on quotas in a nested
    hierarchical environment, the calling project context
    must be a member of the same hierarchy as the target
    project in order to be authorized, even if it has the
    admin role. This is a change in behavior for users who
    are used to being able to view and modify any project
    quotas as admin without needing a token scoped to the
    target project's hierarchy.

    This patch allows projects with the cloud admin role to
    be able to operate on all project quotas regardless of
    its place in project hierarchy.

    Change-Id: Ifc0f1c5d06e7ca3aa7d9cf267a40f2a6b5cfc078
    Closes-bug: #1597045

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
Matt Fischer (mfisch) wrote :

Can we backport this to Mitaka?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/344342

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/mitaka)

Reviewed: https://review.openstack.org/344342
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=76c74ea3c773368431f2a6894cf4ab5181896115
Submitter: Jenkins
Branch: stable/mitaka

commit 76c74ea3c773368431f2a6894cf4ab5181896115
Author: Nate Potter <email address hidden>
Date: Wed Jun 29 19:59:46 2016 +0000

    Allow admin project to operate on all quotas

    Currently when operating on quotas in a nested
    hierarchical environment, the calling project context
    must be a member of the same hierarchy as the target
    project in order to be authorized, even if it has the
    admin role. This is a change in behavior for users who
    are used to being able to view and modify any project
    quotas as admin without needing a token scoped to the
    target project's hierarchy.

    This patch allows projects with the cloud admin role to
    be able to operate on all project quotas regardless of
    its place in project hierarchy.

    Closes-bug: #1597045
    Change-Id: Ifc0f1c5d06e7ca3aa7d9cf267a40f2a6b5cfc078
    (cherry picked from commit a0a04f4332a609e854f2e67e3e9e9b723197b584)

tags: added: in-stable-mitaka
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/cinder 8.1.0

This issue was fixed in the openstack/cinder 8.1.0 release.

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/cinder 9.0.0.0b3

This issue was fixed in the openstack/cinder 9.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.