OpenStack Heat

Heat can sometimes delete end-user's own project

Bug #1365332 reported by Kieran Spear on 2014-09-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	High	Steven Hardy	OpenStack Heat 2014.2 "juno"
	Icehouse	Fix Released	High	Kieran Spear	OpenStack Heat 2014.1.4

Bug Description

We upgraded from Havana to Icehouse Heat about a month ago. A few days ago I configured Heat to use its own Keystone domain for user/project creation. I short while after that I found that a user's own tenant in the 'default' domain had been deleted.

- Create a stack on a Heat deployment that isn't configured to use its own Keystone domain (i.e., stack_user_domain_id unset).
- Set stack_user_domain_id
- Delete the stack

The user's own project will be deleted.

In retrospect I should have realised this but with Keystone's default policy.json the heat_stack_admin will have admin over everything, not just its own domain.

Tags:

Revision history for this message

Steven Hardy (shardy) wrote on 2014-09-04:

Ouch! We should definitely add a check to avoid this! :-O

Changed in heat:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Steven Hardy (shardy)
milestone:	none → juno-rc1

Revision history for this message

Steven Hardy (shardy) wrote on 2014-09-04:

Btw, as you've noted, this is really a consequence of this long-standing keystone bug:

https://bugs.launchpad.net/keystone/+bug/968696

It *should* be possible to create a user who has admin rights over just one domain, but atm in keystone it's not :(

Steven Hardy (shardy) on 2014-09-04

tags:

added: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-04: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119212

Changed in heat:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-09: Fix proposed to heat (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/119996

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-13: Fix merged to heat (master)

Reviewed: https://review.openstack.org/119212
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=e9b5a4a5491d74ed877c1288a81a8d4958673c88
Submitter: Jenkins
Branch: master

commit e9b5a4a5491d74ed877c1288a81a8d4958673c88
Author: Steven Hardy <email address hidden>
Date: Thu Sep 4 22:10:47 2014 +0100

Only delete stack user project from correct domain

    Check the domain ID for the project matches the configured domain from
    heat.conf, so we avoid the bad outcome of deleting the user's project
    when heat has been configured for stack domain users after creating
    some stacks.

Change-Id: I247e732033f44daf0de5b0efeff6c263814d13ab
Closes-Bug: #1365332

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-10-02

Changed in heat:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-14: Fix merged to heat (stable/icehouse)

Reviewed: https://review.openstack.org/119996
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=2b4f7be44a7c5eae825c9d340aff8abe93efe449
Submitter: Jenkins
Branch: stable/icehouse

commit 2b4f7be44a7c5eae825c9d340aff8abe93efe449
Author: Steven Hardy <email address hidden>
Date: Thu Sep 4 22:10:47 2014 +0100

Only delete stack user project from correct domain

    Conflicts:
     heat/common/heat_keystoneclient.py
     heat/tests/test_heatclient.py

Change-Id: I247e732033f44daf0de5b0efeff6c263814d13ab
Closes-Bug: #1365332

Thierry Carrez (ttx) on 2014-10-16

Changed in heat:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.