nova quota-update can update quota for a non-exist tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
New
|
Undecided
|
David Geng |
Bug Description
Test procedure:
1. check the tenant of your openstack
[root@sco-svt opt]# keystone tenant-list
+------
| id | name | enabled |
+------
| 26df64cc1d2d4df
| 84ca1c4ffb8d4aa
+------
2. run nova quota-update to update a quota for a non-exist tenant.
nova quota-update --instance 40 --cores 40 --ram 409600 --volumes 160 --floating-ips 100 diaojuan
[root@sco-svt opt]# nova quota-show diaojuan
+------
| Property | Value |
+------
| cores | 40 |
| floating_ips | 100 |
| gigabytes | 1000 |
| injected_
| injected_files | 5 |
| instances | 40 |
| metadata_items | 128 |
| ram | 409600 |
| volumes | 160 |
+------
3. Expected result: the update will failed Because diaojuan is not the exist tenant-id.
Actual result: it can be successfully executed.
information type: | Private Security → Public Security |
Changed in python-glanceclient: | |
assignee: | nobody → diaojuan (diaojuan) |
assignee: | diaojuan (diaojuan) → nobody |
Changed in python-glanceclient: | |
assignee: | nobody → David Geng (genggjh) |
affects: | python-glanceclient → nova |
Changed in nova: | |
assignee: | David Geng (genggjh) → nobody |
assignee: | nobody → David Geng (genggjh) |
information type: | Public Security → Public |
this needs keystone's cooperation since the tenant_id is checked by it api.py, all the policy checkes don't send req to keystone
however, from api to db/sqlalchemy/
the quota on non-exsist tenant will not cause security problem, just cause unnecessary SQL storage