Project deleted (with resources left orphaned)
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Mirantis OpenStack | Status tracked in 10.0.x | |||||
10.0.x |
Confirmed
|
Wishlist
|
MOS Nova | |||
7.0.x |
Won't Fix
|
Wishlist
|
MOS Nova | |||
8.0.x |
Won't Fix
|
Wishlist
|
MOS Nova | |||
9.x |
Won't Fix
|
Wishlist
|
MOS Nova |
Bug Description
Detailed bug description:
Customer reported an issue where he was able to delete a project with the admin account even with the project still having an instance and a network. The instance and the network are now orphaned and do not have a project assigned. Additionally, the owner of the project can no longer manage the instance via horizon or CLI.
Steps to reproduce:
1. Create test user with admin account
2. Create test project and assign test user as admin
3. Log into test project with test user account
4. Create test network and subnet
5. Launch test instance
6. Log out of test project
7. Log in as admin user to admin project
8. Delete test project - Project deletes successfully.
9. Try to log in as test user to Horizon gets "You are not authorized for any projects." Error as expected.
10. Try nova list with test user via CLI gets:
root@node-1:~# nova list
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-a77e5e5c-
11. Do nova show <Instance_ID> with admin user and project and instance is active showing test project as its project.
Expected result:
Project should not be able to be deleted if the Project still has resources (Instances, networks, etc).
Actual result:
Project can be deleted regardless of whether it houses resources.
Reproducibility:
100% in MOS 7.0
Workaround:
None that I know.
Impact:
Project owner can no longer manage their resources.
Description of the environment:
[root@fuel ~]# cat /etc/fuel/
VERSION:
feature_groups:
- mirantis
production: "docker"
release: "7.0"
openstack_
api: "1.0"
build_number: "301"
build_id: "301"
nailgun_sha: "4162b0c15adb42
python-
fuel-agent_sha: "50e90af6e3d560
fuel-
astute_sha: "6c5b73f93e24cc
fuel-library_sha: "5d50055aeca1dd
fuel-ostf_sha: "2cd967dccd66cf
fuelmain_sha: "a65d453215edb0
Network model:
VLANS
Changed in fuel: | |
status: | New → Confirmed |
tags: | added: area-mos |
Changed in fuel: | |
assignee: | nobody → MOS Keystone (mos-keystone) |
Changed in fuel: | |
importance: | Wishlist → Medium |
assignee: | nobody → MOS Nova (mos-nova) |
milestone: | none → 9.0 |
tags: | added: 10.0-reviewed |
I was able to reproduce this on my own as well. There are more than just instances and networks being orphaned here. You also have volumes, glance images, and essentially everything that can be assigned to a project.
I propose that keystone checks the tenants to see if there are any resources available in them. One idea would be to scan the database (i.e. select * from instances where project_id='tenant' and deleted=0;) if any of these select commands return an active resource keystone should send an error to the user both via Horizon and CLI that they need to delete the available resources or migrate them before deleting a tenant.