OpenStack Compute (nova)

quota-show should return error for invalid tenant id

Bug #1031139 reported by Lloyd Dewolf
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Medium
Mh Raies

Bug Description

quota-show does not handle alternatives for tenant_id as expected

ENV: Devstack trunk (Folsom) / nova d56b5fc3ad6dbfc56e0729174925fb146cef87fa , Mon Jul 30 21:59:56 2012 +0000

I'd expect the following command to work as $ env | grep TENANT -> OS_TENANT_NAME=demo

$ nova --debug --os_username=admin --os_password=password quota-show
usage: nova quota-show <tenant_id>
error: too few arguments

I'd also expect the following to work:
$ nova --debug --os_username=admin --os_password=password quota-show --os_tenant_name=demo
usage: nova quota-show <tenant_id>
error: too few arguments

What is more awesome, if in the event that I do provide the wrong tenant_id, it proceeds to use OS_TENANT_NAME returning those results:

$nova --debug --os_username=admin --os_password=password quota-show gggggggggggggggggggggggggggggggggg

REQ: curl -i http://10.1.11.219:8774/v2/04adebe40d214581b84118bcce264f0e/os-quota-sets/ggggggggggggggggggggggggggggggggggg -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: 10bd3f948df24039b2b88b98771b2b99"

+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| cores | 20 |
| floating_ips | 10 |
| gigabytes | 1000 |
| injected_file_content_bytes | 10240 |
| injected_files | 5 |
| instances | 10 |
| metadata_items | 128 |
| ram | 51200 |
| volumes | 10 |
+-----------------------------+-------+

I also couldn't figure out how to get the quota-show to work as a member (non-admin) of a project.

Let me know if you want any of these issues broken out in to additional bugs.

Tags: security ux
Revision history for this message
Thierry Carrez (ttx) wrote :

Actually a client bug

affects: nova → python-novaclient
Revision history for this message
melanie witt (melwitt) wrote :

Not reproducible on master.

Changed in python-novaclient:
status: New → Fix Committed
Revision history for this message
Scott Devoid (scott-devoid) wrote :

Cross-linking bugs: https://bugs.launchpad.net/nova/+bug/1118066 I can reproduce. It's an API bug because you can insert invalid data (neither project UUID nor project name) into the database.

Scott Devoid (scott-devoid)
Changed in python-novaclient:
status: Fix Committed → Incomplete
status: Incomplete → New
Revision history for this message
Scott Devoid (scott-devoid) wrote :

I am able to replicate the bug using the Havana version of the tools:
http://paste.openstack.org/show/61321/

Marking as New for that reason.

@melwitt Please do not mark bugs as "Fix Committed" unless you can supply the specific patch set that fixes the bug. Attempting to replicate in Devstack is not sufficient to guarantee that the bug has been fixed.

tags: added: security ux
Revision history for this message
melanie witt (melwitt) wrote :

@scott-devoid Thanks for updating this with the data you gathered. Apologies for marking it as Fix Committed.

I'm able to get the same behavior by following your steps, but there are two things I see so far:

1. The quota commands expect (in their help) tenant id only, not tenant name -- e.g. 'nova help quota-show'. If tenant id is omitted, the tenant name from the credentials gets translated to an id and used, which I think is causing confusion. All of the --tenant options are treated as ids, and tenant id and tenant name aren't intended to be interchangeable.

2. When a nonexistent tenant id is passed to quota-show, quota defaults are returned.

Revision history for this message
Scott Devoid (scott-devoid) wrote :

Right, I think this is bad behavior at both the API and the command line level. We probably can't change the behavior of the API but we should change the behavior of the client. My suggestion is to return an error message if the "tenant_id" argument does not correspond to a tenant_id in keystone.

Changed in python-novaclient:
status: New → Confirmed
melanie witt (melwitt)
summary: - quota-show does not handle alternatives for tenant_id as expected
+ quota-show should return error for invalid tenant id
Changed in python-novaclient:
importance: Undecided → Medium
Amandeep (rattenpal-amandeep)
Changed in python-novaclient:
assignee: nobody → Amandeep (rattenpal-amandeep)
Revision history for this message
Mh Raies (raiesmh08) wrote :

It is a problem/limitation of nova not of python-novaclient.

What nova do for this API -
nova takes the API request and if no project id is given, curent tenant quotas will be displayed.
Again if we are taking "--tenant <tenant id >" option then it will be ignored as per current implementation.

As per current implementation of nova -
It will treat filtering on basis of current tenant and different users in current tenant.

So changing it to nova.

And also it is a Duplicate of https://bugs.launchpad.net/nova/+bug/1118066

affects: python-novaclient → nova
Changed in nova:
assignee: Amandeep (rattenpal-amandeep) → Mh Raies (raiesmh08)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.