OpenStack Compute (nova)

No way to allow non admins the ability to filter on attributes such as host

Bug #1737050 reported by Sam Morrison
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Wishlist
Sam Morrison

Bug Description

We have a special read_only role in keystone and have given that role the ability to list all instances via the policy rule: index:get_all_tenants.

It can't however list all instances on a specific host for instance. I'm not sure if a new policy rule should be added or it should be covered in the existing rule "index:get_all_tenants"?

The offending code is in nova/api/openstack/compute/servers.py in the remove_invalid_options method

Tags: api policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/526558

Changed in nova:
assignee: nobody → Sam Morrison (sorrison)
status: New → In Progress
Matt Riedemann (mriedem)
tags: added: api policy
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Sam Morrison (sorrison) → Zhenyu Zheng (zhengzhenyu)
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Zhenyu Zheng (zhengzhenyu) → Sam Morrison (sorrison)
Matt Riedemann (mriedem)
Changed in nova:
importance: Undecided → Wishlist
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Sam Morrison (sorrison) → Matt Riedemann (mriedem)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/526558
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7c56588647be64a2248b1f37d40369765bc6b977
Submitter: Zuul
Branch: master

commit 7c56588647be64a2248b1f37d40369765bc6b977
Author: Sam Morrison <email address hidden>
Date: Fri Dec 8 10:15:53 2017 +1100

    Allow ability for non admin users to use all filters on server list.

    Adds a new policy rule "os_compute_api:servers:allow_all_filters"
    to control whether a user can use all filters when listing servers.

    Closes-bug: #1737050

    Change-Id: Ia5504da9a00bad689766aeda20255e10b7629f63

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/604995

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/633910

Matt Riedemann (mriedem)
Changed in nova:
assignee: Matt Riedemann (mriedem) → Sam Morrison (sorrison)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/rocky)

Change abandoned by melanie witt (<email address hidden>) on branch: stable/rocky
Review: https://review.openstack.org/633910
Reason: This is a feature and I had missed the bug was "Wishlist" when I first proposed it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 19.0.0.0rc1

This issue was fixed in the openstack/nova 19.0.0.0rc1 release candidate.

Matt Riedemann (mriedem)
no longer affects: nova/rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Balazs Gibizer (<email address hidden>) on branch: master
Review: https://review.opendev.org/604995
Reason: This patch is old and with negative test results. I'm abandoning it now but feel free to restore it by fixing the failing unit test.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.