← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1828042] [NEW] Compute API in nova - all_tenants listed in non-admin query params set

 

Public bug reported:

- [x] This doc is inaccurate in this way:

https://developer.openstack.org/api-ref/compute/?expanded=list-servers-
detail#list-servers

The GET /servers and GET /servers/detail entries say:

"""
- For non-admin users, whitelist is different from admin users whitelist.
  Valid whitelist for non-admin users includes

  - ``all_tenants``
"""

However, all_tenants is admin-only by default policy:

https://docs.openstack.org/nova/latest/configuration/policy.html

os_compute_api:servers:index:get_all_tenants

    Default

        rule:admin_api
    Operations

            GET /servers

    List all servers for all projects
os_compute_api:servers:detail:get_all_tenants

    Default

        rule:admin_api
    Operations

            GET /servers/detail

The confusion is probably due to this code:

https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L1216

That allows the all_tenants parameter for non-admins at first, but then
it's removed from the list later and checked against policy:

https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L277

Note that it's also not listed in the API guide for non-admins:

https://developer.openstack.org/api-guide/compute/server_concepts.html
#server-query

-----------------------------------
Release: 19.1.0.dev329 on 2019-03-26 18:09:01
SHA: ec51f9311cf5de740bd624065684a0bda93c6f2c
Source: https://opendev.org/openstack/nova/src/api-ref/source/index.rst
URL: https://developer.openstack.org/api-ref/compute/

** Affects: nova
     Importance: Medium
         Status: Triaged


** Tags: api-ref

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1828042

Title:
  Compute API in nova - all_tenants listed in non-admin query params set

Status in OpenStack Compute (nova):
  Triaged

Bug description:
  - [x] This doc is inaccurate in this way:

  https://developer.openstack.org/api-ref/compute/?expanded=list-
  servers-detail#list-servers

  The GET /servers and GET /servers/detail entries say:

  """
  - For non-admin users, whitelist is different from admin users whitelist.
    Valid whitelist for non-admin users includes

    - ``all_tenants``
  """

  However, all_tenants is admin-only by default policy:

  https://docs.openstack.org/nova/latest/configuration/policy.html

  os_compute_api:servers:index:get_all_tenants

      Default

          rule:admin_api
      Operations

              GET /servers

      List all servers for all projects
  os_compute_api:servers:detail:get_all_tenants

      Default

          rule:admin_api
      Operations

              GET /servers/detail

  The confusion is probably due to this code:

  https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L1216

  That allows the all_tenants parameter for non-admins at first, but
  then it's removed from the list later and checked against policy:

  https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L277

  Note that it's also not listed in the API guide for non-admins:

  https://developer.openstack.org/api-guide/compute/server_concepts.html
  #server-query

  -----------------------------------
  Release: 19.1.0.dev329 on 2019-03-26 18:09:01
  SHA: ec51f9311cf5de740bd624065684a0bda93c6f2c
  Source: https://opendev.org/openstack/nova/src/api-ref/source/index.rst
  URL: https://developer.openstack.org/api-ref/compute/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1828042/+subscriptions


Follow ups