Non-admin users should be able to filter instances by user_id
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
In Progress
|
Wishlist
|
Brin Zhang |
Bug Description
The nova API specifies that listing instances by user_id is an admin-only function.
A non-admin user can view the details of an instance and find the owner, so locking this down doesn't make much sense. In a project with many users, it would be very useful for a user to, at a minimum, list his/her own instances.
The following is run as a non-admin user. Note that user_id is shown in the instance details.
$ openstack server list | grep centos-test
| 7c14482f-
$ openstack server show 7c14482f-
+------
| Field | Value |
+------
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-STS:vm_state | active |
| OS-SRV-
| OS-SRV-
| accessIPv4 | |
| accessIPv6 | |
| addresses | public1=
| config_drive | |
| created | 2019-04-
| flavor | m1.medium (3) |
| hostId | 0328a6e11b0beb4
| id | 7c14482f-
| image | centos7 (84ffbd43-
| key_name | sjohnson |
| name | centos-test |
| progress | 0 |
| project_id | 6fda22d1af7442a
| properties | |
| security_groups | name='default' |
| status | ACTIVE |
| updated | 2019-04-
| user_id | c6e2da4261e34aa
| volumes_attached | |
+------
If there is a good use case for disabling the user filter, can we at least create a policy item to unlock the functionality?
Steps to reproduce
==================
As a non-admin user, run:
$ openstack server list --user <userid or name>
Expected result
===============
Show instances for the specified user
Actual result
=============
All instances for the tenant are shown.
Environment
===========
Release: OpenStack Rocky
Hypervisor: Libvirt + KVM
Changed in nova: | |
assignee: | nobody → Brin Zhang (zhangbailin) |
Yes, as a user, if I am not an admin, then I should only be able to get the current user or the specified user's instances. This problem exists not only in the rocky branch, but also in the master.