There is no quota check for snapshots getting from instances both via APIs and horizon. Imagine a situation where a normal user can fill out the whole of the cinder(ceph) storage space by calling the get_instance_snapshot() API, which should be restricted using project quota checks.
How to check the bug?
1- In specific project, launch a new instance.
2- Set the project's quota all the way down(e.g. instances: 1, volume_snapshots: 0, ...).
3- Get snapshots from running instance as much as you can.
You see that there is no quota check and user can fill out the whole of the storage space.
There is no quota check for snapshots getting from instances both via APIs and horizon. Imagine a situation where a normal user can fill out the whole of the cinder(ceph) storage space by calling the get_instance_ snapshot( ) API, which should be restricted using project quota checks.
How to check the bug?
1- In specific project, launch a new instance.
2- Set the project's quota all the way down(e.g. instances: 1, volume_snapshots: 0, ...).
3- Get snapshots from running instance as much as you can.
You see that there is no quota check and user can fill out the whole of the storage space.