yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77990
[Bug 1824576] [NEW] Non-admin users should be able to filter instances by user_id
Public bug reported:
The nova API specifies that listing instances by user_id is an admin-
only function.
A non-admin user can view the details of an instance and find the owner,
so locking this down doesn't make much sense. In a project with many
users, it would be very useful for a user to, at a minimum, list his/her
own instances.
The following is run as a non-admin user. Note that user_id is shown in
the instance details.
$ openstack server list | grep centos-test
| 7c14482f-b343-4d0b-944f-b745e9f36451 | centos-test | BUILD | | centos7 | m1.medium |
$ openstack server show 7c14482f-b343-4d0b-944f-b745e9f36451
+-----------------------------+----------------------------------------------------------+
| Field | Value |
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2019-04-12T18:58:51.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | public1=172.17.16.153 |
| config_drive | |
| created | 2019-04-12T18:58:35Z |
| flavor | m1.medium (3) |
| hostId | 0328a6e11b0beb43709e011a5fcaa8fccbf494bfa70d07245b5ca356 |
| id | 7c14482f-b343-4d0b-944f-b745e9f36451 |
| image | centos7 (84ffbd43-9752-4105-a6a8-e260d000f90c) |
| key_name | sjohnson |
| name | centos-test |
| progress | 0 |
| project_id | 6fda22d1af7442aab0b0dc0b7939dfba |
| properties | |
| security_groups | name='default' |
| status | ACTIVE |
| updated | 2019-04-12T18:58:51Z |
| user_id | c6e2da4261e34aad95b077ccff7e9e2e |
| volumes_attached | |
+-----------------------------+----------------------------------------------------------+
If there is a good use case for disabling the user filter, can we at
least create a policy item to unlock the functionality?
Steps to reproduce
==================
As a non-admin user, run:
$ openstack server list --user <userid or name>
Expected result
===============
Show instances for the specified user
Actual result
=============
All instances for the tenant are shown.
Environment
===========
Release: OpenStack Rocky
Hypervisor: Libvirt + KVM
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1824576
Title:
Non-admin users should be able to filter instances by user_id
Status in OpenStack Compute (nova):
New
Bug description:
The nova API specifies that listing instances by user_id is an admin-
only function.
A non-admin user can view the details of an instance and find the
owner, so locking this down doesn't make much sense. In a project
with many users, it would be very useful for a user to, at a minimum,
list his/her own instances.
The following is run as a non-admin user. Note that user_id is shown
in the instance details.
$ openstack server list | grep centos-test
| 7c14482f-b343-4d0b-944f-b745e9f36451 | centos-test | BUILD | | centos7 | m1.medium |
$ openstack server show 7c14482f-b343-4d0b-944f-b745e9f36451
+-----------------------------+----------------------------------------------------------+
| Field | Value |
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2019-04-12T18:58:51.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | public1=172.17.16.153 |
| config_drive | |
| created | 2019-04-12T18:58:35Z |
| flavor | m1.medium (3) |
| hostId | 0328a6e11b0beb43709e011a5fcaa8fccbf494bfa70d07245b5ca356 |
| id | 7c14482f-b343-4d0b-944f-b745e9f36451 |
| image | centos7 (84ffbd43-9752-4105-a6a8-e260d000f90c) |
| key_name | sjohnson |
| name | centos-test |
| progress | 0 |
| project_id | 6fda22d1af7442aab0b0dc0b7939dfba |
| properties | |
| security_groups | name='default' |
| status | ACTIVE |
| updated | 2019-04-12T18:58:51Z |
| user_id | c6e2da4261e34aad95b077ccff7e9e2e |
| volumes_attached | |
+-----------------------------+----------------------------------------------------------+
If there is a good use case for disabling the user filter, can we at
least create a policy item to unlock the functionality?
Steps to reproduce
==================
As a non-admin user, run:
$ openstack server list --user <userid or name>
Expected result
===============
Show instances for the specified user
Actual result
=============
All instances for the tenant are shown.
Environment
===========
Release: OpenStack Rocky
Hypervisor: Libvirt + KVM
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1824576/+subscriptions
