OpenStack Compute (nova)

nova list's --tenant flag also requires --all-tenants

Bug #1185290 reported by Aarti Kriplani
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Ghanshyam Mann
OpenStack Compute (nova) 2014.2 "juno"

Bug Description

When a user with admin access tries to list all instances that belong to a given tenant, it works only when the --all-tenant flag is passed.
For e.g. nova list --tenant 123456 --all-tenants 1
If you leave off the last "--all-tenants 1" flag, you get back an empty response body (with a 200 response)
The "--all-tenants 1" should not be required for the "--tenant" flag to function properly.

Tags: api
Aarti Kriplani (aarti-kriplani)
Changed in nova:
assignee: nobody → Aarti Kriplani (aarti-kriplani)
Kaushik Chandrashekar (kaushikc)
Changed in nova:
status: New → Confirmed
Revision history for this message
Chris Behrens (cbehrens) wrote :

I am not sure that I consider this a bug. Without --all-tenants=1, the code operates under your own tenant. That means that --tenant <foo> should really be a no-op without --all-tenants=1.

Others may disagree.

Revision history for this message
Rafi Khardalian (rkhardalian) wrote :

I disagree Chris, mainly because the structure of the requests and code path should largely be transparent to the user. I'd suggest that specifying --tenant should imply you're doing a query across --all-tenants unless the --tenant specified is the same as what's contained in OS_TENANT_NAME (the unless part is debatable).

Revision history for this message
Jay Pipes (jaypipes) wrote :

I agree with Rafi. It is not intuitive to have to pass --all-tenants when passing --tenant=X as well.

Revision history for this message
Cyril Roelandt (cyril-roelandt) wrote :

I just proposed this fix: https://review.openstack.org/#/c/39705/ .

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/52919
Committed: http://github.com/openstack/nova/commit/3287a6451142ca8ba1449dffb7326df231f70d61
Submitter: Jenkins
Branch: master

commit 3287a6451142ca8ba1449dffb7326df231f70d61
Author: Chris Yeoh <email address hidden>
Date: Mon Oct 21 23:36:56 2013 +1030

    tenant_id implies all_tenants for servers list in V3 API

    Makes tenant_id imply all_tenants is also enabled unless
    explicitly disabled when a request is made for a list of
    servers. This only occurs if the requestor is an admin. The
    change is only made for the V3 API as although this behavior is
    more intuitive it is too late to change it for the V2 API.

    Change-Id: Ia84e62c8dc80ac3a2f16aee3620af31987cce570
    Partial-Bug: 1185290

Revision history for this message
Adam Huffman (adam-huffman) wrote :

Did this fix ever make it to a release?

Revision history for this message
Joe Gordon (jogo) wrote :

addressed in v3, marking as fixed

Changed in nova:
status: Confirmed → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: juno-3 → 2014.2
Matt Riedemann (mriedem)
tags: added: api
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

Fix proposed in v3 was reverted/commented out in v2.1 to make v2.1 fully compatible and identical with v2. - https://review.openstack.org/#/c/145687/

We need to fix this for both v2 and v2.1 APIs.

Changed in nova:
assignee: Aarti Kriplani (aarti-kriplani) → Ghanshyam Mann (ghanshyammann)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/209813

Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

Spec for this fix - https://review.openstack.org/#/c/198184/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Jeffrey Zhang (<email address hidden>) on branch: master
Review: https://review.openstack.org/209813
Reason: https://review.openstack.org/#/c/198184/ is working on this.

Revision history for this message
Matt Riedemann (mriedem) wrote :

The limitation for this should be documented in the API reference here:

http://developer.openstack.org/api-ref/compute/?expanded=list-servers-detail#id4

Revision history for this message
Matt Riedemann (mriedem) wrote :

I also don't understand what in the nova code is making it such that we don't filter by tenant_id if all_tenants=0.

Revision history for this message
Matt Riedemann (mriedem) wrote :

The answer I got from clarkb was that python2 uses a fixed hash seed (not random), so that's why on py27 we consistently have the admin's project_id overwrite the requested tenant_id in search_opts, and this doesn't work on py27 unless all_tenants=1.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/509650

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.openstack.org/509650
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8b62bf6479e411de6d13e49656acf908b9a3e220
Submitter: Jenkins
Branch: master

commit 8b62bf6479e411de6d13e49656acf908b9a3e220
Author: Matt Riedemann <email address hidden>
Date: Wed Oct 4 17:34:21 2017 -0400

    api-ref: note that project_id filter only works with all_tenants

    The project_id / tenant_id filter parameters when
    listing servers is only applied when the all_tenants
    filter is used.

    Otherwise if an admin is listing servers and specifies
    project_id but not all_tenants, they only get back
    instances for the admin's project (in the request context).

    Change-Id: I9e8fae8fb86604d7394d0dba4d7c75c3fc93033e
    Related-Bug: #1185290

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/620165
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3338d39a86eb2a31c5bb079aa1ac56fd88b52733
Submitter: Zuul
Branch: master

commit 3338d39a86eb2a31c5bb079aa1ac56fd88b52733
Author: Mohammed Naser <email address hidden>
Date: Mon Nov 26 16:31:33 2018 -0500

    Drop cruft code for all_tenants behaviour

    The behaviour for the Nova API is to require `all_tenants` to be
    included in order to be able to list instances for a specific
    project.

    While this behaviour can be a bit confusing, all official CLI
    clients currently automatically imply the addition of `all_tenants`
    to the API request if an explicit tenant/project is selected when
    listing instances.

    The TODO has lived in the code for 5 years now without any work
    being done on it. This patch drops the commented code which can
    later be updated with the appropriate microversion bump to allow
    for behaviour that doesn't require including all_tenants in the
    HTTP request for the future.

    Related-Bug: #1185290

    Change-Id: I9324f798b3c6e05991802bb6610fc357864c0c66

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.