yahoo-eng-team team mailing list archive

[OpenStack Infra <1544989@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/435432
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1f120b5649ba03aa5b2490a82c08b77c580f12d7
Submitter: Jenkins
Branch:    master

commit 1f120b5649ba03aa5b2490a82c08b77c580f12d7
Author: Sean Dague <sean@xxxxxxxxx>
Date:   Fri Feb 17 07:55:43 2017 -0500

    Verify project id for flavor access calls
    
    This includes project id verification for flavor access calls.
    
    Closes-Bug: #1544989
    
    Implements bp:validate-project-with-keystone
    
    Change-Id: I2620c3ebc2a6dc131946602f8aa36ec0b6e782e0


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1544989

Title:
  Nova doesn't validate user/project is valid from keystone during admin
  operations

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  For any API call to Nova which takes a tenant_id / user_id as a
  parameter, and inserts it into the Nova database, no validation is
  done of these values.

  This is currently by design, largely because there is no clear way to
  check the existence of those users/projects. Nova has no generic
  credentials to do that to Keystone. It's unclear if there is a way to
  do this from a non admin user.

  Many other bugs are related to this fundamental issue for which there
  is no infrastructure. This includes updating quotas, adding access to
  flavors, etc. This will be a placeholder for all those bugs until
  there is some way to actually address this at the root.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1544989/+subscriptions