← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1212179] Re: [OSSA 2013-024] nova should check the is_public of flavor when creating an instance

 

** Changed in: nova/grizzly
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1212179

Title:
  [OSSA 2013-024] nova should check the is_public of flavor when
  creating an instance

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) folsom series:
  Fix Committed
Status in OpenStack Compute (nova) grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  If creating a flavor with is_public "false", the flavor should be accessible only by admin or user who is granted to access.
  Now "get flavor details" API checks the is_public of flavor but "create an instance" API does not check.
  In the following case, a user (not admin) cannot access non-public flavor through "get flavor details" API, this is right behavior.
  However, he can access non-public flavor through "create an instance" API.

  === admin ==============================================================
  $ nova flavor-create --is-public false private-flavor 6 512 0 1
  +----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
  | ID | Name           | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
  +----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
  | 6  | private-flavor | 512       | 0    | 0         |      | 1     | 1.0         | False     |
  +----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
  $
  $ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5 -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: [..]"
  HTTP/1.1 200 OK
  Content-Type: application/json
  Content-Length: 428
  X-Compute-Request-Id: req-53ab8206-f458-441c-a0ca-d17e333f4247
  Date: Wed, 14 Aug 2013 09:38:10 GMT

  {"flavor": {"name": "m1.xlarge", "links": [{"href": "http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5";, "rel": "self"}, {"href": "http://192.168.0.30:8774/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5";, "rel": "bookmark"}], "ram": 16384, "OS-FLV-DISABLED:disabled": false, "vcpus": 8, "swap": "", "os-flavor-access:is_public": true, "rxtx_factor": 1.0, "OS-FLV-EXT-DATA:ephemeral": 0, "disk": 160, "id": "5"}}
  $

  === user("demo" user on devstack) ==============================================================
  $ nova flavor-list
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  | ID | Name      | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  | 1  | m1.tiny   | 512       | 1    | 0         |      | 1     | 1.0         | True      |
  | 2  | m1.small  | 2048      | 20   | 0         |      | 1     | 1.0         | True      |
  | 3  | m1.medium | 4096      | 40   | 0         |      | 2     | 1.0         | True      |
  | 4  | m1.large  | 8192      | 80   | 0         |      | 4     | 1.0         | True      |
  | 42 | m1.nano   | 64        | 0    | 0         |      | 1     | 1.0         | True      |
  | 5  | m1.xlarge | 16384     | 160  | 0         |      | 8     | 1.0         | True      |
  | 84 | m1.micro  | 128       | 0    | 0         |      | 1     | 1.0         | True      |
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  $
  $ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/6 -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: [..]"
  HTTP/1.1 404 Not Found
  Content-Length: 78
  Content-Type: application/json; charset=UTF-8
  X-Compute-Request-Id: req-a7ac7e99-6d29-4893-97a7-6705083739df
  Date: Wed, 14 Aug 2013 09:36:52 GMT

  {"itemNotFound": {"message": "The resource could not be found.", "code": 404}}
  $
  $ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers -X POST -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: [..]" -d '{"server": {"min_count": 1, "flavorRef": "6", "name": "test-not-public", "imageRef": "428f795d-01b0-44c8-a162-9ad86d1fea35", "max_count": 1}}'
  HTTP/1.1 202 Accepted
  Location: http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20
  Content-Type: application/json
  Content-Length: 440
  X-Compute-Request-Id: req-7e561044-100a-4d70-8b83-cebd21dca8e2
  Date: Wed, 14 Aug 2013 09:41:50 GMT

  {"server": {"security_groups": [{"name": "default"}], "OS-DCF:diskConfig": "MANUAL", "id": "91407b32-7ed1-4108-9e62-192b3312ff20", "links": [{"href": "http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20";, "rel": "self"}, {"href": "http://192.168.0.30:8774/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20";, "rel": "bookmark"}], "adminPass": "xvFhTwd3yAzE"}}
  $ nova list
  +--------------------------------------+-----------------+--------+------------+-------------+------------------+
  | ID                                   | Name            | Status | Task State | Power State | Networks         |
  +--------------------------------------+-----------------+--------+------------+-------------+------------------+
  | 91407b32-7ed1-4108-9e62-192b3312ff20 | test-not-public | ACTIVE | None       | Running     | private=10.0.0.3 |
  +--------------------------------------+-----------------+--------+------------+-------------+------------------+
  $

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1212179/+subscriptions