yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #05876
[Bug 1212179] Re: [OSSA 2013-024] nova should check the is_public of flavor when creating an instance
** Changed in: nova/grizzly
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1212179
Title:
[OSSA 2013-024] nova should check the is_public of flavor when
creating an instance
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) folsom series:
Fix Committed
Status in OpenStack Compute (nova) grizzly series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
If creating a flavor with is_public "false", the flavor should be accessible only by admin or user who is granted to access.
Now "get flavor details" API checks the is_public of flavor but "create an instance" API does not check.
In the following case, a user (not admin) cannot access non-public flavor through "get flavor details" API, this is right behavior.
However, he can access non-public flavor through "create an instance" API.
=== admin ==============================================================
$ nova flavor-create --is-public false private-flavor 6 512 0 1
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
| 6 | private-flavor | 512 | 0 | 0 | | 1 | 1.0 | False |
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
$
$ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5 -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: [..]"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 428
X-Compute-Request-Id: req-53ab8206-f458-441c-a0ca-d17e333f4247
Date: Wed, 14 Aug 2013 09:38:10 GMT
{"flavor": {"name": "m1.xlarge", "links": [{"href": "http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5", "rel": "self"}, {"href": "http://192.168.0.30:8774/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5", "rel": "bookmark"}], "ram": 16384, "OS-FLV-DISABLED:disabled": false, "vcpus": 8, "swap": "", "os-flavor-access:is_public": true, "rxtx_factor": 1.0, "OS-FLV-EXT-DATA:ephemeral": 0, "disk": 160, "id": "5"}}
$
=== user("demo" user on devstack) ==============================================================
$ nova flavor-list
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 42 | m1.nano | 64 | 0 | 0 | | 1 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
| 84 | m1.micro | 128 | 0 | 0 | | 1 | 1.0 | True |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
$
$ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/6 -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: [..]"
HTTP/1.1 404 Not Found
Content-Length: 78
Content-Type: application/json; charset=UTF-8
X-Compute-Request-Id: req-a7ac7e99-6d29-4893-97a7-6705083739df
Date: Wed, 14 Aug 2013 09:36:52 GMT
{"itemNotFound": {"message": "The resource could not be found.", "code": 404}}
$
$ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers -X POST -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: [..]" -d '{"server": {"min_count": 1, "flavorRef": "6", "name": "test-not-public", "imageRef": "428f795d-01b0-44c8-a162-9ad86d1fea35", "max_count": 1}}'
HTTP/1.1 202 Accepted
Location: http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20
Content-Type: application/json
Content-Length: 440
X-Compute-Request-Id: req-7e561044-100a-4d70-8b83-cebd21dca8e2
Date: Wed, 14 Aug 2013 09:41:50 GMT
{"server": {"security_groups": [{"name": "default"}], "OS-DCF:diskConfig": "MANUAL", "id": "91407b32-7ed1-4108-9e62-192b3312ff20", "links": [{"href": "http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20", "rel": "self"}, {"href": "http://192.168.0.30:8774/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20", "rel": "bookmark"}], "adminPass": "xvFhTwd3yAzE"}}
$ nova list
+--------------------------------------+-----------------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------------+--------+------------+-------------+------------------+
| 91407b32-7ed1-4108-9e62-192b3312ff20 | test-not-public | ACTIVE | None | Running | private=10.0.0.3 |
+--------------------------------------+-----------------+--------+------------+-------------+------------------+
$
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1212179/+subscriptions