private flavors globally visible

Bug #1649532 reported by Maurice Schreiber on 2016-12-13
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Undecided
Unassigned

Bug Description

I have project A with user Anna, who has a role representing nova admin assigned (needed to allow creation of private flavors).
I have project B with user Ben, who has a role representing nova admin assigned (needed to allow creation of private flavors).
Anna has no permission on project B.
Ben has no permission on project A.

Anna creates a private flavor 'A_private', gives flavor access to project A.

Expected behaviour: only Anna (or any other nova admin in project A) can perform actions on this flavor.

Issue: Ben can perform all sort of actions on the private flavor 'A_private' (read, delete, manage access, manage extra specs).

Observed in Mitaka, but I haven't seen any updates related to this, so this should be the same in master. Please correct me if I'm wrong.

description: updated
Changed in nova:
assignee: nobody → Maciej Szankin (mszankin)
Changed in nova:
status: New → Confirmed
Changed in nova:
status: Confirmed → In Progress
Changed in nova:
status: In Progress → Confirmed
assignee: Maciej Szankin (mszankin) → nobody
Matthew Edmonds (edmondsw) wrote :

This traces back to the famous bug 968696... a user with the admin role on ANY project is allowed to do many things requiring the admin role in other projects where they do not have the admin role. It's awful, but for now you'll just have to be very careful to whom you give the admin role.

I think we're finally making some progress on fixing it, but it will be a while yet. As in, Rocky at the earliest, and that is probably being overly optimistic.

Just to add: flavors aka instance types don't follow the owner concept, they don't have a project_id.

The policy to list private flavors is hardcoded to 'is_admin' here https://github.com/openstack/nova/blob/stable/queens/nova/api/openstack/compute/flavors.py#L91

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers