yahoo-eng-team team mailing list archive

[OpenStack Infra <1828042@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/657620
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=57646dfe7797a286d88918563d5bf9a6d1a7307a
Submitter: Zuul
Branch:    master

commit 57646dfe7797a286d88918563d5bf9a6d1a7307a
Author: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date:   Tue May 7 10:47:04 2019 -0400

    api-ref: fix mention of all_tenants filter for non-admins
    
    The API reference for listing servers says that the all_tenants
    filter parameter is available for non-admins which is likely
    a mistake because of it being in the _get_server_search_options
    method, but all_tenants is admin-only by default policy because
    of the os_compute_api:servers:index:get_all_tenants and
    os_compute_api:servers:detail:get_all_tenants policy rules.
    
    This change fixes the API reference to remove all_tenants from
    the list of non-admin filter parameters and also adds a note to
    the _get_server_search_options method to avoid future confusion.
    
    Change-Id: I0e937afbdf8e19d2efd626047913d4c8a9b88b76
    Closes-Bug: #1828042


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1828042

Title:
  Compute API in nova - all_tenants listed in non-admin query params set

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  - [x] This doc is inaccurate in this way:

  https://developer.openstack.org/api-ref/compute/?expanded=list-
  servers-detail#list-servers

  The GET /servers and GET /servers/detail entries say:

  """
  - For non-admin users, whitelist is different from admin users whitelist.
    Valid whitelist for non-admin users includes

    - ``all_tenants``
  """

  However, all_tenants is admin-only by default policy:

  https://docs.openstack.org/nova/latest/configuration/policy.html

  os_compute_api:servers:index:get_all_tenants

      Default

          rule:admin_api
      Operations

              GET /servers

      List all servers for all projects
  os_compute_api:servers:detail:get_all_tenants

      Default

          rule:admin_api
      Operations

              GET /servers/detail

  The confusion is probably due to this code:

  https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L1216

  That allows the all_tenants parameter for non-admins at first, but
  then it's removed from the list later and checked against policy:

  https://github.com/openstack/nova/blob/ec51f9311cf5de740bd624065684a0bda93c6f2c/nova/api/openstack/compute/servers.py#L277

  Note that it's also not listed in the API guide for non-admins:

  https://developer.openstack.org/api-guide/compute/server_concepts.html
  #server-query

  -----------------------------------
  Release: 19.1.0.dev329 on 2019-03-26 18:09:01
  SHA: ec51f9311cf5de740bd624065684a0bda93c6f2c
  Source: https://opendev.org/openstack/nova/src/api-ref/source/index.rst
  URL: https://developer.openstack.org/api-ref/compute/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1828042/+subscriptions