private flavors globally visible
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have project A with user Anna, who has a role representing nova admin assigned (needed to allow creation of private flavors).
I have project B with user Ben, who has a role representing nova admin assigned (needed to allow creation of private flavors).
Anna has no permission on project B.
Ben has no permission on project A.
Anna creates a private flavor 'A_private', gives flavor access to project A.
Expected behaviour: only Anna (or any other nova admin in project A) can perform actions on this flavor.
Issue: Ben can perform all sort of actions on the private flavor 'A_private' (read, delete, manage access, manage extra specs).
Observed in Mitaka, but I haven't seen any updates related to this, so this should be the same in master. Please correct me if I'm wrong.
description: | updated |
Changed in nova: | |
assignee: | nobody → Maciej Szankin (mszankin) |
Changed in nova: | |
status: | New → Confirmed |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
status: | In Progress → Confirmed |
assignee: | Maciej Szankin (mszankin) → nobody |
This traces back to the famous bug 968696... a user with the admin role on ANY project is allowed to do many things requiring the admin role in other projects where they do not have the admin role. It's awful, but for now you'll just have to be very careful to whom you give the admin role.
I think we're finally making some progress on fixing it, but it will be a while yet. As in, Rocky at the earliest, and that is probably being overly optimistic.