OpenStack Compute (nova)

nova quota policy with details seems broken

Bug #1618513 reported by Eric Peterson on 2016-08-30

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Low	Andrey Volkov

Bug Description

The default policy for this call:

novaclient(request).quotas.get(tenant_id, detail=True)

fails unless I am an admin type user. This doesn't seem to make sense, as an _member_ type user, I can still find all the details just the same. This just makes user do many more calls and calculations to work around this.

The default policy file should be that if you are the member of the project, you can see the details if you want.

Revision history for this message

David Medberry (med) wrote on 2016-08-30:

so if tenant_id is my id and in my token it should work (but the bug is that that does not work)?

Revision history for this message

Eric Peterson (ericpeterson-l) wrote on 2016-08-30:

Correct Med - this is all with a properly scoped / setup token with a _member_ like user, whom otherwise has access to get all the details as well.

Revision history for this message

Eric Peterson (ericpeterson-l) wrote on 2016-08-30:

But this fails - this is the bug.

Revision history for this message

Augustina Ragwitz (auggy) wrote on 2016-08-30:

I feel like this is bordering on a feature request and should be associated with a blueprint rather than a bug. The documentation specifically states that the expectation is an admin user: http://docs.openstack.org/admin-guide/cli-set-compute-quotas.html

Neutron client supports a "quota-show" command which can be run by a non-admin user with no tenant id. So this is a reasonable request, I am just not sure that it should be a bug.

https://wiki.openstack.org/wiki/Blueprints

Changed in nova:
status:	New → Invalid

stgleb (gstepanov) on 2016-09-06

Changed in nova:
assignee:	nobody → stgleb (gstepanov)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-13: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/386008

Changed in nova:
assignee:	stgleb (gstepanov) → Andrey Volkov (avolkov)
status:	Invalid → In Progress

Revision history for this message

melanie witt (melwitt) wrote on 2017-07-11:

From what I can tell, the bug is that the used limits API is exposed to non-admin users. The policy is using RULE_ADMIN_API [1] but I think maybe it doesn't work because the path for both "limits" and "used limits" is "/limits".

But maybe this has been exposed so long that quota-sets should be changed to have parity.

[1] https://github.com/openstack/nova/blob/48268c7/nova/policies/used_limits.py#L27

Revision history for this message

melanie witt (melwitt) wrote on 2017-07-20:

Update: Andrey pointed out that the policy of RULE_ADMIN_API is only enforced if the 'tenant_id' GET parameter is present [1] which would only be the case when the user is asking for usage for a *different* project than its own. Otherwise, it's allowed to get usage for its own project. So indeed it doesn't look like a bug on the used limits side.

It was probably similar confusion that made the quota-sets side admin-only.

[1] https://github.com/openstack/nova/blob/48268c7/nova/api/openstack/compute/used_limits.py#L71

Changed in nova:
importance:	Undecided → Low

OpenStack Infra (hudson-openstack) on 2017-07-21

Changed in nova:
assignee:	Andrey Volkov (avolkov) → melanie witt (melwitt)

melanie witt (melwitt) on 2017-07-21

Changed in nova:
assignee:	melanie witt (melwitt) → Andrey Volkov (avolkov)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-21: Fix merged to nova (master)

Reviewed: https://review.openstack.org/386008
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=dcc2934921c5b2770878eee5afd088a1a8dbf645
Submitter: Jenkins
Branch: master

commit dcc2934921c5b2770878eee5afd088a1a8dbf645
Author: Andrey Volkov <email address hidden>
Date: Thu Oct 13 17:19:28 2016 +0300

Change default policy to view quota details

    Default policy for quota details was an admin only privilege
    but it was able to get used and reserved resource data via
    nova limits call even for non admin owners.

    Horizon worked around the issue by using the limits API instead of the
    os-quota-sets API. And this removes the need to workaround it and just
    use the single os-quota-sets API.

This patch sets the quotas detail default policy to RULE_ADMIN_OR_OWNER.

Change-Id: I65b9de24a1310079a67e033606eaf2dde796cd48
Closes-Bug: #1618513

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-28: Fix included in openstack/nova 16.0.0.0b3

This issue was fixed in the openstack/nova 16.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.