invalid filter option "all_tenants" for non-aministrator user

Why is this a bug?

If a non-privileged user runs "cinder list --all-tenants", they get back an error. This is better than giving an incomplete list that doesn't include all tenants.

I'm not sure about whether 400 is the correct code (could be 403), but this seems like the right behavior to me.

@Eric Harney,

 The difference between command "cinder list --all-tenants" and command "cinder show {volume_id}" here is the cinderclient will append the "all_tenants" option for the non-privileged user automatically inside, I was wondering why cinderclient did so for the user that is not privileged to do. This is something like: "You tried some privileged approach to retrieve the resource and then tell me I am not privileged." I am not sure whether this is a valid bug, just feel like the bebaviour is incorrect.

I get this (Devstack stable/rocky, user and project "demo"):

    $ cinder extend myvol 2
    ERROR: Invalid filters all_tenants are found in query options. (HTTP 400)

--debug reveals that the client does indeed submit an API with an all_tenants filter:

    DEBUG:keystoneauth:REQ: curl -g -i -X GET http://192.168.1.201/volume/v3/5baa88f5d7654fc69c1116bbc91acdd2/volumes/detail?all_tenants=1&name=myvol -H "Accept: application/json" -H "OpenStack-API-Version: volume 3.51" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: {SHA1}9098dc315db3bc910e1e22bf6c4588c6953d46a3"

Looks like a bug to me, but why has nobody else seen it?

The openstack client doesn't have this behaviour. However it can't process microversions:

    export OS_VOLUME_API_VERSION=3.47
    $ openstack volume list
    volume version 3.47 is not in supported versions: 1, 2, 3

Same error when trying

    cinder --os-volume-api-version 3.55 revert-to-snapshot myvolume

as a non-admin user. When I add the --debug option, I get

GET call to volumev3 for http://192.168.1.200/volume/v3/7c75bb2fb30d47eda592fb00495d73b7/snapshots/detail?all_tenants=1&name=mybootvol

Since the openstack client refuses Cinder's microversions (see #3 above), I can't use the CLI to perform revert-to-snapshot.

Reviewed: https://review.openstack.org/641717
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=80e94ac3dcc8a5ee9100899b43dcb2fae6320aee
Submitter: Zuul
Branch: master

commit 80e94ac3dcc8a5ee9100899b43dcb2fae6320aee
Author: whoami-rajat <email address hidden>
Date: Thu Mar 7 21:58:21 2019 +0530

    Handling filters in Generalized Filtering API

    This patch handles the following filters :

    1) all_tenants : Restoring to previous functionality of ignoring
    invalid filters

    2) is_public (volume_type): This filter has the 3 valid values,
    * True : show only public volume types (valid for non-admins)
    * False : show only private volume types (valid for admins)
    * None : show both private and public volume types
    Since this filter is valid for admins as well as non-admins,
    we can pass this through filtering API to lower level code where
    this is handled correctly.

    3) name (group, group snapshot): 'name' is a valid parameter for
    non-admins while showing a group or group snapshot.

    Closes-Bug: #1753885

    Change-Id: I1545c165087f80a9fdc9f576114a820ac95be5c5

Fix proposed to branch: stable/stein
Review: https://review.openstack.org/648174

Reviewed: https://review.openstack.org/648174
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=46363697d9a7ddc7880bf6071e5d035f3f9aa043
Submitter: Zuul
Branch: stable/stein

commit 46363697d9a7ddc7880bf6071e5d035f3f9aa043
Author: whoami-rajat <email address hidden>
Date: Thu Mar 7 21:58:21 2019 +0530

    Handling filters in Generalized Filtering API

    This patch handles the following filters :

    1) all_tenants : Restoring to previous functionality of ignoring
    invalid filters

    2) is_public (volume_type): This filter has the 3 valid values,
    * True : show only public volume types (valid for non-admins)
    * False : show only private volume types (valid for admins)
    * None : show both private and public volume types
    Since this filter is valid for admins as well as non-admins,
    we can pass this through filtering API to lower level code where
    this is handled correctly.

    3) name (group, group snapshot): 'name' is a valid parameter for
    non-admins while showing a group or group snapshot.

    Closes-Bug: #1753885

    Change-Id: I1545c165087f80a9fdc9f576114a820ac95be5c5
    (cherry picked from commit 80e94ac3dcc8a5ee9100899b43dcb2fae6320aee)

This issue was fixed in the openstack/cinder 14.0.0.0rc2 release candidate.

This issue was fixed in the openstack/cinder 15.0.0.0rc1 release candidate.