yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1118066] Re: Possible to get and update quotas for nonexistant tenant

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Joe Gordon <1118066@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Jan 2014 01:08:20 -0000
Reply-to: Bug 1118066 <1118066@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So this is a known issue, nova doesn't do any tenant validation for
quotas.   Right now the assumption is that only global admins (think
cloud operator) should have access to the last three methods in:

http://docs.openstack.org/api/openstack-compute/2/content/os-quota-
sets.html

GET	v2{/tenant_id}/os-quota-sets{/tenant_id}{/user_id}	
Enables an admin user to show quotas for a specified tenant and user.

POST	v2{/tenant_id}/os-quota-sets{/tenant_id}{/user_id}	
Updates quotas for a specified tenant/project and user.

GET	v2{/tenant_id}/os-quota-sets{/tenant_id}/detail{/user_id}	
Shows details for quotas for a specified tenant and user.

And as an admin (trusted user), we expect them to not break things.

This is part of a bigger issue, which is nova doesn't have great RBAC
support. Say you want to create a tenant admin who can set quotas per
user.

** Changed in: nova
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1118066

Title:
  Possible to get and update quotas for nonexistant tenant

Status in OpenStack Compute (Nova):
  Opinion

Bug description:
  GET /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist
  returns 200 with the default quotas.

  Moreover
  POST /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist
  with updated quotas succeeds and that metadata is saved!

  I'm not sure if this is a bug or not. I cannot find any documentation
  on this interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1118066/+subscriptions