Non-admin users should be able to filter instances by user_id

Bug #1824576 reported by Shawn Johnson
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
In Progress
Brin Zhang

Bug Description

The nova API specifies that listing instances by user_id is an admin-only function.

A non-admin user can view the details of an instance and find the owner, so locking this down doesn't make much sense. In a project with many users, it would be very useful for a user to, at a minimum, list his/her own instances.

The following is run as a non-admin user. Note that user_id is shown in the instance details.

$ openstack server list | grep centos-test
| 7c14482f-b343-4d0b-944f-b745e9f36451 | centos-test | BUILD | | centos7 | m1.medium |

$ openstack server show 7c14482f-b343-4d0b-944f-b745e9f36451
| Field | Value |
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2019-04-12T18:58:51.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | public1= |
| config_drive | |
| created | 2019-04-12T18:58:35Z |
| flavor | m1.medium (3) |
| hostId | 0328a6e11b0beb43709e011a5fcaa8fccbf494bfa70d07245b5ca356 |
| id | 7c14482f-b343-4d0b-944f-b745e9f36451 |
| image | centos7 (84ffbd43-9752-4105-a6a8-e260d000f90c) |
| key_name | sjohnson |
| name | centos-test |
| progress | 0 |
| project_id | 6fda22d1af7442aab0b0dc0b7939dfba |
| properties | |
| security_groups | name='default' |
| status | ACTIVE |
| updated | 2019-04-12T18:58:51Z |
| user_id | c6e2da4261e34aad95b077ccff7e9e2e |
| volumes_attached | |

If there is a good use case for disabling the user filter, can we at least create a policy item to unlock the functionality?

Steps to reproduce
As a non-admin user, run:
$ openstack server list --user <userid or name>

Expected result
Show instances for the specified user

Actual result
All instances for the tenant are shown.

Release: OpenStack Rocky
Hypervisor: Libvirt + KVM

Tags: api
Brin Zhang (zhangbailin)
Changed in nova:
assignee: nobody → Brin Zhang (zhangbailin)
Revision history for this message
Brin Zhang (zhangbailin) wrote :

Yes, as a user, if I am not an admin, then I should only be able to get the current user or the specified user's instances. This problem exists not only in the rocky branch, but also in the master.

Changed in nova:
status: New → Confirmed
Revision history for this message
Surya Seetharaman (tssurya) wrote :

I don't agree with allowing the user filter for non-admins. Sure its helpful for shared projects but for the whole cloud this should be an admin only filter. So if we are allowing this then we should do this per project (of which the requesting user should be a part of) per user which sort of redefines the meaning of the user filter: it would become more of a per project per user filter.

tags: added: api
Changed in nova:
importance: Undecided → Wishlist
Revision history for this message
Brin Zhang (zhangbailin) wrote :

@tssurya, I think this is not contradictory. The admin is not limited to this restriction. Project users should only be able to obtain their own instance. Why do you want to get all the instances below the project? In theory, in a production environment, it is very dangerous to be able to see the server created by others.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
Shawn Johnson (caci-sj) wrote :

I agree with @tssurya.

@zhangbailin, If instances are in the same project, I would expect them to be visible to everyone in the project. However, I would also expect a user to filter by his/her own instances.

Removing the current functionality of visibility within a project will severely hinder teamwork in my organization.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Brin Zhang (<email address hidden>) on branch: master

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.