Comment 9 for bug 904072

Jesse Andrews (anotherjesse) wrote :

ttx

1) you still need to be authenticated. The keystone middleware doesn't let the request hit the router if you fail to auth.

2) you can issue any openstack api request against any tenant.

Because most logic in the API uses the context (not the URL) to specify the resources you are interacting with (for example list servers uses the tenant from the context)

        instance_list = self.compute_api.get_all(context,
                                                 search_opts=search_opts)

https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145

So you can create a server in another project but delete, list, show (and most other api calls) will not be able to modify it by via the api. This is because the way that the database layer is written is defensive - it only lets you access data that your context says you have access to.

This is still bad in that it allows creation of resources outside of your project (for quota/billing avoidance) and there could be more tunnels.

3) only affects if you are the openstack api using keystone (not deprecated auth)

It shouldn't affect people who use the default (which is nova's internal legacy auth) or who use the ec2 api