disallow non-admin search for soft-delete instance

Bug #1526715 reported by jichenjc on 2015-12-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)

Bug Description

search deleted instance is only for admin.
So we should disallow non-admin search for deleted and soft_deleted instances

$ curl -g -i -X GET -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-OpenStack-Nova-API-Version: 2.6" -H "X-Auth-Token: 4414496776a3486ba96a6702f13ed5ce"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 15
X-Openstack-Nova-Api-Version: 2.6
Vary: X-OpenStack-Nova-API-Version
X-Compute-Request-Id: req-15a68220-093c-4688-b9ac-9dc89215140d
Date: Tue, 15 Dec 2015 16:34:36 GMT

{"servers": []}

2015-12-15 11:34:35.991 DEBUG nova.compute.api [req-15a68220-093c-4688-b9ac-9dc89215140d demo demo] Searching by: {'deleted': False, 'vm_state': ['soft-delete'], 'project_id': u'd1c5aa58af6c426492c642eb649017be'} from (pid=26588) get_all /opt/stack/nova/nova/compute/api.py:2055

Tags: api Edit Tag help
jichenjc (jichenjc) on 2015-12-16
Changed in nova:
assignee: nobody → jichenjc (jichenjc)
tags: added: api

Fix proposed to branch: master
Review: https://review.openstack.org/258472

Changed in nova:
status: New → In Progress
Sean Dague (sdague) wrote :

Why is this an issue? I don't understand the concern.

Changed in nova:
status: In Progress → Opinion
Changed in nova:
status: Opinion → In Progress
description: updated
melanie witt (melwitt) on 2016-07-07
Changed in nova:
importance: Undecided → Low

Reviewed: https://review.openstack.org/354119
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4b73cd9bb1b87e946930dd71f86bb6a060e6a9b3
Submitter: Jenkins
Branch: master

commit 4b73cd9bb1b87e946930dd71f86bb6a060e6a9b3
Author: jichenjc <email address hidden>
Date: Mon Jul 25 18:17:08 2016 +0800

    Add comment about how status field changed

    There are some review comments on the status , vm_state
    changes confusion in patch https://review.openstack.org/#/c/258472
    for this bug, so this patch added some comments to make
    reviewer easier to read the code logic.

    Change-Id: I65e77feeddcf477bd5550baaa440b4a1a325bb91
    Related-Bug: 1526715

Alex Xu (xuhj) wrote :

The non-admin should be enable to search soft-deleted instance, due to they may want to restore/force_delete the instance. The resource/force_delete APIs are allowed for admin_or_owner.

If they can't query the soft-deleted instance, how they know the uuid which they want to restore/force_delete?. So I think the correct behaviour is right.

jichenjc (jichenjc) wrote :

ok, this is a valid point ,even though I think the softdelete/restore might be admin only thing
it's not related to bug itself

Changed in nova:
status: In Progress → Invalid

Change abandoned by jichenjc (<email address hidden>) on branch: master
Review: https://review.openstack.org/258472

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers