openstack-manuals

Allow non-admin to list all tenants based on policy

Bug #1467868 reported by OpenStack Infra on 2015-06-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-manuals	Fix Released	Medium	Christian Berendt	openstack-manuals liberty

Bug Description

https://review.openstack.org/191095
commit 55e63f83a7caec5a8d85b7532c501e1b846295ba
Author: Davanum Srinivas <email address hidden>
Date: Fri Jun 12 10:26:08 2015 -0400

Allow non-admin to list all tenants based on policy

Currently, running 'nova list --all-tenants' with a policy change:
"compute:get_all_tenants": "role:special_role or is_admin:True"

    will not work as expected, The returned list of servers will not
    contain all instances of all tenants. We should support administrators
    who wish to enable this functionality in their policy.json.

We need to fix this problem both in the v2 API and in the v2.1 as well.

    Deep in instance_get_all_by_filters_sort, there is a check which adds
    a filter of project_id or user_id if the context is NOT an admin context.
    So, the returned list will be a subset of all the instances in the
    database. To fix this scenario, the easy way is to call get_all with
    an elevated context to pass this check in instance_get_all_by_filters_sort.

So in fixing the bug above, we need to fix the default policy so that
all-tenants is available by default only to administrators.

    UpgradeImpact
    SecurityImpact
    DocImpact: --all-tenants will list all servers for non-admin
    APIImpact: --all-tenants will list all servers for non-admin

Closes-Bug: #1464381
Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6

Tags:

Revision history for this message

Tom Fifield (fifieldt) wrote on 2015-06-26:

policy.json sample needs to be updated

Changed in openstack-manuals:
status:	New → Confirmed
milestone:	none → liberty
importance:	Undecided → Medium
tags:	added: cli-reference

Kuo-tung Kao (jelly) (coding1314) on 2015-06-30

Changed in openstack-manuals:
assignee:	nobody → jelly (coding1314)

Lana (loquacity) on 2015-09-03

Changed in openstack-manuals:
assignee:	jelly (coding1314) → nobody

Bernd Bausch (berndbausch) on 2015-10-06

Changed in openstack-manuals:
assignee:	nobody → Bernd Bausch (berndbausch)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-06: Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/231670

Changed in openstack-manuals:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2015-10-07

Changed in openstack-manuals:
assignee:	Bernd Bausch (berndbausch) → Christian Berendt (berendt)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-07: Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/231670
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=b5e3033d7d3c2919fcb41b32202444b516007d0c
Submitter: Jenkins
Branch: master

commit b5e3033d7d3c2919fcb41b32202444b516007d0c
Author: Bernd <email address hidden>
Date: Wed Oct 7 04:31:58 2015 +0900

New nova policy.json sample

    Nova now allows non-admin users to list all instances. Nova's
    policy.json needs to be updated so that only admins can list
    other project's instances by default.

Change-Id: Ib4982b655ddfc34f76897720d3adf2609aad8a3f
Closes-bug: #1467868