Authorization by user_id does not work in V2.1 API
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
In case that authorization for deleting a VM instance is done by user_id,
it works fine in V2.0 API, but it does not work in V2.1 API.
[How to reproduce]
In nova policy.json,
Add the following entries(or modify existing entries like the following).
-------
"user": "user_id:
"compute:delete": "rule:user",
"os_compute_
-------
In nova api-paste.ini,
change 'openstack_
'openstack_
-------
[composite:
use = call:nova.
/: oscomputeversions
/v2: openstack_
/v2.1: openstack_
-------
In V2.0 API, the authorization by 'user_id' works fine.
Only the user who created a VM instance can delete the VM instance.
In V2.1 API, the authorization by 'user_id' does not work.
Any users in the same project can delete the VM instance that another user created.
stack@devstack-
+------
| ID | Name |
+------
| 1cd4d65d4f534cd
| 218e7be255be4c9
| 357fc80d750646f
| 37c5204df2d345f
| 4a6e928a20a743a
| 8c613c4691e2447
| 9ab80146bc964e8
| ecd940201f5c45a
+------
stack@devstack-
+------
| ID | Name |
+------
| 4b7c129ea5ee49d
| 4c3e76d51a3c4df
| 533daaf421554a8
| b04c7788628849a
+------
stack@devstack-
+------
| Field | Value |
+------
| endpoints | RegionOne |
| | publicURL: http://
| | internalURL: http://
| | adminURL: http://
| | |
| name | nova |
| type | compute |
+------
stack@devstack-
+------
| Field | Value |
+------
| endpoints | RegionOne |
| | publicURL: http://
| | internalURL: http://
| | adminURL: http://
| | |
| name | nova_legacy |
| type | compute_legacy |
+------
stack@devstack-
+------
| Property | Value |
+------
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-STS:vm_state | active |
| OS-SRV-
| OS-SRV-
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-01-
| flavor | m1.tiny (1) |
| hostId | 5084983d07d356e
| id | cb921ee5-
| image | cirros-
| key_name | - |
| locked | False |
| metadata | {} |
| name | server1 |
| os-extended-
| private network | 10.0.10.6, fd7a:6b74:
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 533daaf421554a8
| updated | 2016-01-
| user_id | 357fc80d750646f
+------
stack@devstack-
Policy doesn't allow compute:delete to be performed. (HTTP 403) (Request-ID: req-cb34aecd-
ERROR (CommandError): Unable to delete the specified server(s).
stack@devstack-
Request to delete server server1 has been accepted.
stack@devstack-
+------
| Property | Value |
+------
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-STS:vm_state | active |
| OS-SRV-
| OS-SRV-
| accessIPv4 | |
| accessIPv6 | |
| config_drive | True |
| created | 2016-01-
| flavor | m1.tiny (1) |
| hostId | 5084983d07d356e
| id | c5efae23-
| image | cirros-
| key_name | - |
| locked | False |
| metadata | {} |
| name | server2 |
| os-extended-
| private network | 10.0.10.8, fd7a:6b74:
| progress | 0 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | 533daaf421554a8
| updated | 2016-01-
| user_id | 357fc80d750646f
+------
stack@devstack-
Request to delete server server2 has been accepted.
[Environment]
Ubuntu 14.04 LTS
nova(master, commit 1dfec7186222054
novaclient 3.2.0
tags: | added: api |
I have similar issue and confirmed this can be reproduced