OpenStack Compute (Nova)

admin GET on /servers should NOT return servers for all tenants

Reported by Dan Prince on 2012-01-29
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Low
Dan Prince

Bug Description

By default, if you are an admin user and you perform a GET on /servers it will return a list of servers for all tenants (projects) in the system regardless of the tenant_id used in the URL.

This is problematic and can lead to confusion if a tenant alternate tenant ID is specified in the URL. This could be easily accomplished with bindings, novaclient, etc.

To reproduce do something like this...

1) Setup an installation with multiple users. One should be an adminstrator. The other can be a regular user.

2) Create servers in both accounts.

3) Configure novarc so that it uses the admin credentials /w the tenant ID of the normal user.

4) Do another 'nova list' and notice that servers for all tenants are still returned.

---

I'd like to see us add an 'all_tenants' filter option to the API so that we can maintain the existing behavior for OPS team members. This provides them the ability to search and query servers from multiple tenants from a single account.

However if the 'all_tenants' option isn't used we should restrain the API to the tenant_id that was specified in the URL.

Dan Prince (dan-prince) on 2012-01-29
Changed in nova:
importance: Undecided → Low
status: New → In Progress
assignee: nobody → Dan Prince (dan-prince)
Dan Prince (dan-prince) wrote :

See this related ticket for an associated novaclient change...

https://bugs.launchpad.net/nova/+bug/916219

Reviewed: https://review.openstack.org/3531
Committed: http://github.com/openstack/nova/commit/6e35b5785d12513dc0076145f4de5e1f98034250
Submitter: Jenkins
Branch: master

commit 6e35b5785d12513dc0076145f4de5e1f98034250
Author: Dan Prince <email address hidden>
Date: Sat Jan 28 22:52:29 2012 -0500

    Add 'all_tenants' filter to GET /servers.

    Update the OpenStack API's GET /servers method so that it only returns
    servers from a single tenant when an admin account is used.

    Adds an 'all_tenants' filter option that can be used to obtain servers
    from all tenants (legacy behavior).

    Fixes LP Bug # 923218.

    Change-Id: I2fd3bd3e2c374ff1aed9c11006585c3f93449c6e

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
milestone: none → essex-4
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers