Comment 0 for bug 1493122

hossein zabolzadeh (zabolzadeh) wrote :

There is no quota check for snapshots getting from instances both via APIs and horizon. Imagine a situation where a normal user can fill out the whole of the cinder(ceph) storage space by calling the get_instance_snapshot() API, which should be restricted using project quota checks.

How to check the bug?
1- In specific project, launch a new instance.
2- Set the project's quota all the way down(e.g. instances: 1, volume_snapshots: 0, ...).
3- Get snapshots from running instance as much as you can.

You see that there is no quota check and user can fill out the whole of the storage space.