OpenStack Compute (nova)

Non-admin users should be able to filter instances by user_id

Bug #1824576 reported by Shawn Johnson on 2019-04-12

10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	In Progress	Wishlist	Brin Zhang

Bug Description

The nova API specifies that listing instances by user_id is an admin-only function.

A non-admin user can view the details of an instance and find the owner, so locking this down doesn't make much sense. In a project with many users, it would be very useful for a user to, at a minimum, list his/her own instances.

The following is run as a non-admin user. Note that user_id is shown in the instance details.

$ openstack server list | grep centos-test
| 7c14482f-b343-4d0b-944f-b745e9f36451 | centos-test | BUILD | | centos7 | m1.medium |

$ openstack server show 7c14482f-b343-4d0b-944f-b745e9f36451
+-----------------------------+----------------------------------------------------------+
| Field | Value |
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2019-04-12T18:58:51.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | public1=172.17.16.153 |
| config_drive | |
| created | 2019-04-12T18:58:35Z |
| flavor | m1.medium (3) |
| hostId | 0328a6e11b0beb43709e011a5fcaa8fccbf494bfa70d07245b5ca356 |
| id | 7c14482f-b343-4d0b-944f-b745e9f36451 |
| image | centos7 (84ffbd43-9752-4105-a6a8-e260d000f90c) |
| key_name | sjohnson |
| name | centos-test |
| progress | 0 |
| project_id | 6fda22d1af7442aab0b0dc0b7939dfba |
| properties | |
| security_groups | name='default' |
| status | ACTIVE |
| updated | 2019-04-12T18:58:51Z |
| user_id | c6e2da4261e34aad95b077ccff7e9e2e |
| volumes_attached | |
+-----------------------------+----------------------------------------------------------+

If there is a good use case for disabling the user filter, can we at least create a policy item to unlock the functionality?

Steps to reproduce
==================
As a non-admin user, run:
$ openstack server list --user <userid or name>

Expected result
===============
Show instances for the specified user

Actual result
=============
All instances for the tenant are shown.

Environment
===========
Release: OpenStack Rocky
Hypervisor: Libvirt + KVM

Tags:

Brin Zhang (zhangbailin) on 2019-04-15

Changed in nova:
assignee:	nobody → Brin Zhang (zhangbailin)

Revision history for this message

Brin Zhang (zhangbailin) wrote on 2019-04-15:

#1

Yes, as a user, if I am not an admin, then I should only be able to get the current user or the specified user's instances. This problem exists not only in the rocky branch, but also in the master.

Changed in nova:
status:	New → Confirmed

Revision history for this message

Surya Seetharaman (tssurya) wrote on 2019-04-15:

#2

I don't agree with allowing the user filter for non-admins. Sure its helpful for shared projects but for the whole cloud this should be an admin only filter. So if we are allowing this then we should do this per project (of which the requesting user should be a part of) per user which sort of redefines the meaning of the user filter: it would become more of a per project per user filter.

tags:	added: api
Changed in nova:
importance:	Undecided → Wishlist

Revision history for this message

Brin Zhang (zhangbailin) wrote on 2019-04-15:

#3

@tssurya, I think this is not contradictory. The admin is not limited to this restriction. Project users should only be able to obtain their own instance. Why do you want to get all the instances below the project? In theory, in a production environment, it is very dangerous to be able to see the server created by others.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-15: Fix proposed to nova (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/652602

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

Shawn Johnson (caci-sj) wrote on 2019-04-15:

#5

I agree with @tssurya.

@zhangbailin, If instances are in the same project, I would expect them to be visible to everyone in the project. However, I would also expect a user to filter by his/her own instances.

Removing the current functionality of visibility within a project will severely hinder teamwork in my organization.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-22: Change abandoned on nova (master)

#6

Change abandoned by Brin Zhang (<email address hidden>) on branch: master
Review: https://review.opendev.org/652602

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.