nova quota-update should throw error if tenant-id is not correct

Bug #1551103 reported by Abhishek Talwar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Wishlist
Unassigned
python-novaclient
In Progress
Undecided
Abhilash Goyal

Bug Description

According to the help for “nova quota-update” the command works only with tenant-id.

But currently the command works with everything and doesn't check if the user entered a valid tenant-id or not.

The command should check if the tenant-id entered is a valid id and if it that is not the case should result in an error.

Steps to reproduce the bug :

1. Run “keystone tenant-list” command to get the list of the existing tenants

stack@stack:~/devstack$ keystone tenant-list

+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 5484649a676547a0b63db23c2e7abaec | admin | True |
| 8d97085693a740de9f3a8ccf8dd5dc4e | alt_demo | True |
| 52eab592d3e94af082442daa505583ac | demo | True |
| 62bf50f477754e3d910e3fcf677b9aed | invisible_to_admin | True |
| fc32936f81e5400bb38d00985ad10fdf | service | True |
+----------------------------------+--------------------+---------+

2. Run the “nova quota-update” command with a valid tenant-id from the list you got using the keystone command

stack@stack:~/devstack$ nova quota-update --instances 8 5484649a676547a0b63db23c2e7abaec

3. Check if the quota got updated

stack@stack:~/devstack$ nova quota-show --tenant 5484649a676547a0b63db23c2e7abaec

+-----------------------------+-------+
| Quota | Limit |
+-----------------------------+-------+
| instances | 8 |
| cores | 20 |
| ram | 51200 |
| floating_ips | 10 |
| fixed_ips | -1 |
| metadata_items | 128 |
| injected_files | 5 |
| injected_file_content_bytes | 10240 |
| injected_file_path_bytes | 255 |
| key_pairs | 100 |
| security_groups | 10 |
| security_group_rules | 20 |
| server_groups | 10 |
| server_group_members | 10 |
+-----------------------------+-------+

As we can see the quota got updated when we used a valid tenant-id. Now lets check what happens if we use a tenant-id that doesn't exits.

4. Run the “nova quota-update” command again using an incorrect tenant-id

stack@stack:~/devstack$ nova quota-update --instances 8 123123123123

5. Check if the quota got updated for this tenant-id

stack@stack:~/devstack$ nova quota-show --tenant 123123123123

+-----------------------------+-------+
| Quota | Limit |
+-----------------------------+-------+
| instances | 8 |
| cores | 20 |
| ram | 51200 |
| floating_ips | 10 |
| fixed_ips | -1 |
| metadata_items | 128 |
| injected_files | 5 |
| injected_file_content_bytes | 10240 |
| injected_file_path_bytes | 255 |
| key_pairs | 100 |
| security_groups | 10 |
| security_group_rules | 20 |
| server_groups | 10 |
| server_group_members | 10 |
+-----------------------------+-------+

So the command updates the quota for a tenant that doesn't exists resulting in a bug for OpenStack.

Changed in python-novaclient:
assignee: nobody → Abhilash Goyal (abhilash-goyal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-novaclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/288396

Changed in python-novaclient:
status: New → In Progress
Revision history for this message
Andrey Kurilin (andreykurilin) wrote :

imo, it is problem on nova-api side. there is no validation for tenant-id

Revision history for this message
Kristi Nikolla (knikolla) wrote :

Should this validation be implemented even though it would require a call to Keystone to check if such a project exists?

Revision history for this message
Matt Riedemann (mriedem) wrote :

This should be fixed as part of this blueprint:

https://blueprints.launchpad.net/nova/+spec/validate-project-with-keystone

There are several duplicate bugs for this (see the blueprint).

Changed in nova:
status: New → Invalid
importance: Undecided → Wishlist
Changed in nova:
assignee: nobody → Abhilash Goyal (abhilash-goyal)
assignee: Abhilash Goyal (abhilash-goyal) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.