API: flavors - Cannot list all public and private flavors by default
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Compute (nova) |
Undecided
|
Matt Riedemann | ||
Bug Description
The API doesn't return all public and private flavors by default.
Effectively only public flavors are listed even though the default policy rule authorize it.
Here I'm using 'admin' user/project along with no explicit policy therefore relying on the default 'built-in' policy which I believe translate to "compute_
$ openstack flavor list --all
+------
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+------
| 1 | flavor-tiny | 64 | 0 | 0 | 1 | True |
| a1fec2c4-
+------
# The default flavors list returns only the public ones:
$ curl -s -H "X-Auth-Token: $OS_TOKEN" -H "Content-Type: application/json" http://
{
"flavors": [
{
"id": "1",
{
},
{
}
],
"name": "flavor-tiny"
}
]
}
$ curl -s -H "X-Auth-Token: $OS_TOKEN" -H "Content-Type: application/json" http://
{
"flavors": [
{
"id": "a1fec2c4-
{
},
{
}
],
"name": "test1"
}
]
}
| Deepak Mourya (mourya007) wrote : | #1 |
| Gilles Dubreuil (gdubreui) wrote : | #2 |
@mourya007,
Yes OpenStack Client has such option but not nova API.
| Matt Riedemann (mriedem) wrote : | #3 |
I'm confused by this:
> Yes OpenStack Client has such option but not nova API.
openstack client is using python-novaclient which is just passing is_public=None:
And novaclient just omits the is_public param to GET /flavors. This is the API code:
So it looks like that accepts 'none' as a string and our schema allows that also:
But the API reference is out of date:
https:/
| Matt Riedemann (mriedem) wrote : | #4 |
> And novaclient just omits the is_public param to GET /flavors. This is the API code:
That's wrong, novaclient passes is_public=None specifically as a query parameter which is processed in the API as 'show all flavors' if it's an admin context.
Are you sure you're using an admin context when doing your curl request?
| Matt Riedemann (mriedem) wrote : | #5 |
Is your bug really about saying that admins shouldn't have to pass is_public=None *by default* and is_public=None should just be the default behavior for admins if the is_public query parameter isn't provided? If so, that's not a bug, and would require a microversion since it's a behavior change to the API.
| Changed in nova: | |
| status: | New → Opinion |
| importance: | Undecided → Wishlist |
| Matt Riedemann (mriedem) wrote : | #6 |
Marked as incomplete since I'm not sure what you're saying is the bug. Please clarify. I'll fix the API reference docs in the meantime.
| Changed in nova: | |
| status: | Opinion → Incomplete |
| importance: | Wishlist → Undecided |
Fix proposed to branch: master
Review: https:/
| Changed in nova: | |
| assignee: | nobody → Matt Riedemann (mriedem) |
| status: | Incomplete → In Progress |
| sean mooney (sean-k-mooney) wrote : | #8 |
based on http://
is there any error in the the nova-api log?
| sean mooney (sean-k-mooney) wrote : | #9 |
just as extra context this is the output of the openstack client as an admin
stack@cloud-3 devstack]$ openstack flavor list
+----+-
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+-
| 1 | m1.tiny | 512 | 1 | 0 | 1 | True |
| 2 | m1.small | 2048 | 20 | 0 | 1 | True |
| 3 | m1.medium | 4096 | 40 | 0 | 2 | True |
| 4 | m1.large | 8192 | 80 | 0 | 4 | True |
| 42 | m1.nano | 64 | 0 | 0 | 1 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | 8 | True |
| 84 | m1.micro | 128 | 0 | 0 | 1 | True |
| c1 | cirros256 | 256 | 0 | 0 | 1 | True |
| d1 | ds512M | 512 | 5 | 0 | 1 | True |
| d2 | ds1G | 1024 | 10 | 0 | 1 | True |
| d3 | ds2G | 2048 | 10 | 0 | 2 | True |
| d4 | ds4G | 4096 | 20 | 0 | 4 | True |
+----+-
[stack@cloud-3 devstack]$ openstack flavor list --all
+------
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+------
| 1 | m1.tiny | 512 | 1 | 0 | 1 | True |
| 2 | m1.small | 2048 | 20 | 0 | 1 | True |
| 2b7b0d2d-
| 3 | m1.medium | 4096 | 40 | 0 | 2 | True |
| 4 | m1.large | 8192 | 80 | 0 | 4 | True |
| 42 | m1.nano | 64 | 0 | 0 | 1 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | 8 | True |
| 84 | m1.micro | 128 | 0 | 0 | 1 | True |
| c1 | cirros256 | 256 | 0 | 0 | 1 | True |
| d1 | ds512M | 512 | 5 | 0 | 1 | True |
| d2 | ds1G | 1024 | 10 | 0 | 1 | True |
| d3 | ds2G | 2048 | 10 | 0 | 2 | True |
| d4 | ds4G | 4096 | 20 | 0 | 4 | True |
+------
| Changed in nova: | |
| status: | In Progress → Incomplete |
| Gilles Dubreuil (gdubreui) wrote : | #10 |
Sorry if the description was confusing.
First off, thank you for all the pointers.
To clarify, I confirm this is about nova API (as mentioned in title).
The API document effectively doesn't provide any information about the option "None" that can be passed to the parameter "is_public".
This was mentioned in https:/
The later solves part of the issue as "all" flavors (public and private) can be returned to Nova API client when using "None".
Meanwhile there are 2 other issues at stake here.
1. I believe that "all" the flavors should be returned by default (attended the user has the right privileges which is admin only by default but could be another tenant if the policy is changed or if flavors access has been granted provided to another tenant).
2. The actual code is not consistent.
In following pasted example http://
the behaviour is different between the 'admin' user and the 'demo' user where the 'demo' project has been granted access to a private flavor. By default 'admin' doesn't get returned the private flavor where 'demo' does get it.
Also please note "/flavors/detail" resource faces the same issue.
I've not tested using a difference policy.
| Changed in nova: | |
| status: | Incomplete → In Progress |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit eff376b9fc7a6c9
Author: Matt Riedemann <email address hidden>
Date: Wed Aug 1 18:15:07 2018 -0400
api-ref: fix GET /flavors?is_public description
A couple of things are fixed here:
1. The type in the schema for the is_public query param
is string, not boolean.
2. Since it's a string, the normal 1/yes/0/no types of
"booleans" are allowed so document that along with
the default.
3. Also mention that is_public='None' must be passed for
an admin user to list both public and private flavors
in a single request.
Change-Id: Idcb700b69f1321
Partial-Bug: #1784782
| Gilles Dubreuil (gdubreui) wrote : | #12 |
Unfortunately the patch is not providing the right information because private flavors can be accessed by non-admin users when:
1 - Granted access via "flavor access" - see [1]
2 - Policy is changed: "compute_
The current behavior is not taking the above in consideration.
BTW, it would be easier for users to get all flavors systematically, public and private (with not accessible private ones filtered out).
[1] https:/
Hi, I can get the flavor list with --all
openstack flavor list --all
+-----+
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+-----+
| 1 | m1.tiny | 512 | 1 | 0 | 1 | True |
| 100 | manila-
| 2 | m1.small | 2048 | 20 | 0 | 1 | True |
| 3 | m1.medium | 4096 | 40 | 0 | 2 | True |
| 4 | m1.large | 8192 | 80 | 0 | 4 | True |
| 42 | m1.nano | 64 | 0 | 0 | 1 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | 8 | True |
| 84 | m1.micro | 128 | 0 | 0 | 1 | True |
| c1 | cirros256 | 256 | 0 | 0 | 1 | True |
| d1 | ds512M | 512 | 5 | 0 | 1 | True |
| d2 | ds1G | 1024 | 10 | 0 | 1 | True |
| d3 | ds2G | 2048 | 10 | 0 | 2 | True |
| d4 | ds4G | 4096 | 20 | 0 | 4 | True |