yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #78327
[Bug 1828042] [NEW] Compute API in nova - all_tenants listed in non-admin query params set
Public bug reported:
- [x] This doc is inaccurate in this way:
https://developer.openstack.org/api-ref/compute/?expanded=list-servers-
detail#list-servers
The GET /servers and GET /servers/detail entries say:
"""
- For non-admin users, whitelist is different from admin users whitelist.
Valid whitelist for non-admin users includes
- ``all_tenants``
"""
However, all_tenants is admin-only by default policy:
https://docs.openstack.org/nova/latest/configuration/policy.html
os_compute_api:servers:index:get_all_tenants
Default
rule:admin_api
Operations
GET /servers
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants
Default
rule:admin_api
Operations
GET /servers/detail
The confusion is probably due to this code:
https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L1216
That allows the all_tenants parameter for non-admins at first, but then
it's removed from the list later and checked against policy:
https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L277
Note that it's also not listed in the API guide for non-admins:
https://developer.openstack.org/api-guide/compute/server_concepts.html
#server-query
-----------------------------------
Release: 19.1.0.dev329 on 2019-03-26 18:09:01
SHA: ec51f9311cf5de740bd624065684a0bda93c6f2c
Source: https://opendev.org/openstack/nova/src/api-ref/source/index.rst
URL: https://developer.openstack.org/api-ref/compute/
** Affects: nova
Importance: Medium
Status: Triaged
** Tags: api-ref
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1828042
Title:
Compute API in nova - all_tenants listed in non-admin query params set
Status in OpenStack Compute (nova):
Triaged
Bug description:
- [x] This doc is inaccurate in this way:
https://developer.openstack.org/api-ref/compute/?expanded=list-
servers-detail#list-servers
The GET /servers and GET /servers/detail entries say:
"""
- For non-admin users, whitelist is different from admin users whitelist.
Valid whitelist for non-admin users includes
- ``all_tenants``
"""
However, all_tenants is admin-only by default policy:
https://docs.openstack.org/nova/latest/configuration/policy.html
os_compute_api:servers:index:get_all_tenants
Default
rule:admin_api
Operations
GET /servers
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants
Default
rule:admin_api
Operations
GET /servers/detail
The confusion is probably due to this code:
https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L1216
That allows the all_tenants parameter for non-admins at first, but
then it's removed from the list later and checked against policy:
https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L277
Note that it's also not listed in the API guide for non-admins:
https://developer.openstack.org/api-guide/compute/server_concepts.html
#server-query
-----------------------------------
Release: 19.1.0.dev329 on 2019-03-26 18:09:01
SHA: ec51f9311cf5de740bd624065684a0bda93c6f2c
Source: https://opendev.org/openstack/nova/src/api-ref/source/index.rst
URL: https://developer.openstack.org/api-ref/compute/
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1828042/+subscriptions
Follow ups