OpenStack Compute (nova)

Per-userness of "nova list" is confused

Bug #916219 reported by David Kranz
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Dan Prince
OpenStack Compute (nova) 2012.1 "essex"

Bug Description

Most of the "nova *-list" commands are with respect to a given user. "nova list" is so documented but instead shows the vms of multiple users. However, "nova show xx" only lets you see details of your own vms. If you provide xx as the id of another user's vm as shown by "nova list" then you get the following strange error, regardless of which xx you use:

No image with a name or ID of '2' exists.

This was while running nova packages built from a recent diablo-stable, using

python-novaclient 2.6.4~bzr112-0ubuntu1

The same thing happens with the most recent nova client from github.

Revision history for this message
David Kranz (david-kranz) wrote :

It seems that my diablo-stable was overwritten by a new oneiric nova update that still does not contain any of the diablo-stable fixes. After repairing that the strange error no longer occurs. But 'nova list' still shows all vms.

Revision history for this message
Brian Waldon (bcwaldon) wrote :

Are you operating as an admin?

Revision history for this message
David Kranz (david-kranz) wrote :

Yes, I was. I created a non-admin account and it behaved as expected. After updating to the latest novaclient code I also do not see the above mentioned error any more. It seems a little odd to me that this particular behavior would be different for an admin user. Is it documented somewhere what the different capabilities of an admin user are? I couldn't find any.

Revision history for this message
Brian Waldon (bcwaldon) wrote :

I can understand how it is a completely unexpected result. I don't think it is well documented anywhere, either. There are two paths forward here:

1) return instances that belong to the admin's project by default, and allow a filter to be passed to return *all* instances
2) provide a filter when making a 'nova list' command to ensure the results are filtered by the auth'd tenant

I'm leaning towards option 1

Changed in nova:
status: New → Triaged
importance: Undecided → Low
Dan Prince (dan-prince)
Changed in nova:
assignee: nobody → Dan Prince (dan-prince)
status: Triaged → In Progress
Revision history for this message
David Kranz (david-kranz) wrote :

It seems like anything that shows stuff for tenants other than the one making the request would be part of "nova-admin" if there were such a thing. I think I saw a blueprint for that but is there a plan to have a separate administrative interface other than nova-manage (which must be run on the controller)?

Revision history for this message
Brian Waldon (bcwaldon) wrote :

Right now we have an 'Admin API' that is a set of features available only to admins that sits directly on top of nova-api. So if you authenticate as a n admin, you will automatically have access to admin features at the nova-api endpoint.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-novaclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/3532

Brian Waldon (bcwaldon)
Changed in nova:
milestone: none → essex-4
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-novaclient (master)

Reviewed: https://review.openstack.org/3532
Committed: http://github.com/openstack/python-novaclient/commit/d2be395649f3737c14ca34e4aacdcd8c8d985bc6
Submitter: Jenkins
Branch: master

commit d2be395649f3737c14ca34e4aacdcd8c8d985bc6
Author: Dan Prince <email address hidden>
Date: Sat Jan 28 23:00:56 2012 -0500

    Add --all_tenants option to 'nova list'.

    Fixes LP Bug #916219.

    Change-Id: Ibebabc2eb8ca77466085ed17b7a9805ccfebe484

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.