OpenStack Heat

List stacks API lists stacks from all tenants for admin

Bug #1757550 reported by Supreeth Shivanand on 2018-03-21

22

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Invalid	Undecided	sbartel	OpenStack Heat no-milestone-taged-bugs

Bug Description

While working on a customer issue, I found that tenant scoping for list stacks API doesn't seem to work for an admin user.

The API /v1/{tenant_id}/stacks should be filtering stacks based on the tenant_id provided irrespective of whether it is an admin user or not. If the admin user needs to fetch all the stacks in all the tenants, he will be using global_tenant request parameter.

I confirmed the behavior with nova project and it works as expected. Even 'openstack stack list' lists stacks from all tenants.

This was observed on heat running on newton.

Tenant based filtering will not work until /v1/{tenant_id}/stacks?tenant={tenant_id} API is used.

Repercussions of this issue:
1. default max_stacks_per_tenant limit of 100 was hit and heat-engine didn't let an admin user create any more stacks though it had less than 100 stacks in the tenant.

Heat's behavior:
Tried with an admin user with 3 stacks in the admin tenant. It was supposed to list only 3 stacks.

# openstack stack list
+--------------------------------------+---------------+-----------------+----------------------+--------------+
| ID | Stack Name | Stack Status | Creation Time | Updated Time |
+--------------------------------------+---------------+-----------------+----------------------+--------------+
| 5fbf55c0-b4ac-4ff9-8fce-4086a7b28282 | vdasvavttbfdb | CREATE_COMPLETE | 2018-03-21T20:44:02Z | None |
| eb862325-80f3-45ea-9709-9cd3ad0612d6 | test_12345 | CREATE_COMPLETE | 2018-03-21T20:38:53Z | None |
| 059972a9-2773-4570-8876-ef31ea2696f9 | dcasvdsva | CREATE_COMPLETE | 2018-03-21T01:18:07Z | None |
| a85fd5ad-daf1-499f-babf-ae53623803d0 | test_3 | CREATE_COMPLETE | 2018-03-21T00:17:02Z | None |
| 2f9588f6-fb8b-4c36-a629-75e951ea3cae | test_2 | CREATE_COMPLETE | 2018-03-21T00:16:40Z | None |
| 511ab59d-e75a-43a6-a045-07ae77e0022d | test_1 | CREATE_COMPLETE | 2018-03-21T00:15:36Z | None |
+--------------------------------------+---------------+-----------------+----------------------+--------------+

# openstack stack list --all-projects
+--------------------------------------+---------------+----------------------------------+-----------------+----------------------+--------------+
| ID | Stack Name | Project | Stack Status | Creation Time | Updated Time |
+--------------------------------------+---------------+----------------------------------+-----------------+----------------------+--------------+
| 5fbf55c0-b4ac-4ff9-8fce-4086a7b28282 | vdasvavttbfdb | 945fb273c7a845a5b267fed51787e7de | CREATE_COMPLETE | 2018-03-21T20:44:02Z | None |
| eb862325-80f3-45ea-9709-9cd3ad0612d6 | test_12345 | 945fb273c7a845a5b267fed51787e7de | CREATE_COMPLETE | 2018-03-21T20:38:53Z | None |
| 059972a9-2773-4570-8876-ef31ea2696f9 | dcasvdsva | 7181535a63174e1e9995b23c50765d1a | CREATE_COMPLETE | 2018-03-21T01:18:07Z | None |
| a85fd5ad-daf1-499f-babf-ae53623803d0 | test_3 | dbcf6a557acc492d89fa1c42c555dca6 | CREATE_COMPLETE | 2018-03-21T00:17:02Z | None |
| 2f9588f6-fb8b-4c36-a629-75e951ea3cae | test_2 | dbcf6a557acc492d89fa1c42c555dca6 | CREATE_COMPLETE | 2018-03-21T00:16:40Z | None |
| 511ab59d-e75a-43a6-a045-07ae77e0022d | test_1 | dbcf6a557acc492d89fa1c42c555dca6 | CREATE_COMPLETE | 2018-03-21T00:15:36Z | None |
+--------------------------------------+---------------+----------------------------------+-----------------+----------------------+--------------+

Examples for nova's behavior: Nova behaves correctly with the same admin user with 3 instances in the admin tenant and 6 instances in total.

# openstack server list
+--------------------------------------+----------------------------------------+--------+--------------------+------------------------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+----------------------------------------+--------+--------------------+------------------------------+
| 2e725b89-90cf-4e49-b33b-c3d6bb3094d2 | test_3-apache_http_server-t2exugcukhwc | ACTIVE | test-net=10.1.1.3 | cirros-0.3.2-x86_64-disk.img |
| cdc6e3d8-0d60-4d7b-acdc-cd3c67160753 | test_2-apache_http_server-yp5zw7igwbnj | ACTIVE | test-net=10.1.1.12 | cirros-0.3.2-x86_64-disk.img |
| 0d7b43fb-72e3-4f99-a610-1d26b91a3039 | test_1-apache_http_server-pyhvmfz4zaua | ACTIVE | test-net=10.1.1.6 | cirros-0.3.2-x86_64-disk.img |
+--------------------------------------+----------------------------------------+--------+--------------------+------------------------------+

# openstack server list --all-projects
+--------------------------------------+-----------------------------------------------+--------+--------------------+------------------------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+-----------------------------------------------+--------+--------------------+------------------------------+
| fd1cf6c2-7843-4954-b42a-9bdc7daec1bf | vdasvavttbfdb-apache_http_server-ve7tina5idcx | ACTIVE | test-net=10.1.1.13 | cirros-0.3.2-x86_64-disk.img |
| 83b8fcc6-b48b-473b-9195-6c6728eea3af | test_12345-apache_http_server-5lalvviffboa | ACTIVE | test-net=10.1.1.8 | cirros-0.3.2-x86_64-disk.img |
| 6251853a-a78c-4260-a852-e98c4b396821 | dcasvdsva-apache_http_server-b7n56w7nouvk | ACTIVE | test-net=10.1.1.9 | cirros-0.3.2-x86_64-disk.img |
| 2e725b89-90cf-4e49-b33b-c3d6bb3094d2 | test_3-apache_http_server-t2exugcukhwc | ACTIVE | test-net=10.1.1.3 | cirros-0.3.2-x86_64-disk.img |
| cdc6e3d8-0d60-4d7b-acdc-cd3c67160753 | test_2-apache_http_server-yp5zw7igwbnj | ACTIVE | test-net=10.1.1.12 | cirros-0.3.2-x86_64-disk.img |
| 0d7b43fb-72e3-4f99-a610-1d26b91a3039 | test_1-apache_http_server-pyhvmfz4zaua | ACTIVE | test-net=10.1.1.6 | cirros-0.3.2-x86_64-disk.img |
+--------------------------------------+-----------------------------------------------+--------+--------------------+------------------------------+

Rico Lin (rico-lin) on 2018-05-07

Changed in heat:
milestone:	none → no-priority-tag-bugs

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix proposed to heat (stable/queens)

#1

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/736743

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Change abandoned on heat (stable/queens)

#2

Change abandoned by Samuel BARTEL (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/736743

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Related fix proposed to heat (master)

#3

Related fix proposed to branch: master
Review: https://review.opendev.org/736746

sbartel (samuel-bartel) on 2020-06-19

Changed in heat:
assignee:	nobody → sbartel (samuel-bartel)

Revision history for this message

ITD27M01 (igortiunov) wrote on 2021-09-24:

#4

https://storyboard.openstack.org/#!/story/1757550

admin user in admin project is treated as global admin that can manage stacks from all projects after https://bugs.launchpad.net/heat/+bug/1466694. You can change the global admin project by changing settings in keystone.conf.

Changed in heat:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.