python-novaclient

Addition of all_tenants for delete command breaks deletes for non admins

Bug #1439381 reported by Daniel Wallace
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-novaclient
Fix Released
High
melanie witt
python-novaclient 2.25.0

Bug Description

I can no longer delete servers by name with non admin users on the rackspace cloud.

The issue appears to have been introduced here.

https://github.com/openstack/python-novaclient/commit/a0481e1c8008935d34e8f6e2cf896723b5e36f0a

The non admin user is unable to do the all_tenants lookup, and therefore fails there.

REQ: curl -g -i --insecure 'https://iad.servers.api.rackspacecloud.com/v2/<redacted>/servers?all_tenants=1&name=racktest' -X GET -H "Accept: application/json" -H "User-Agent: python-novaclient" -H "X-Auth-Token: <redacted>"
RESP: [403] {'content-length': '104', 'via': '1.1 Repose (Repose/6.2.1.2)', 'x-compute-request-id': 'req-77d8df40-8984-4f76-9826-e5190a9adaa7', 'server': 'Jetty(9.2.z-SNAPSHOT)', 'date': 'Wed, 01 Apr 2015 20:34:20 GMT, Wed, 01 Apr 2015 20:34:20 GMT', 'content-type': 'application/json; charset=UTF-8'}
RESP BODY: {"forbidden": {"message": "Policy doesn't allow compute:get_all_tenants to be performed.", "code": 403}}

Thanks.
Daniel

Revision history for this message
melanie witt (melwitt) wrote :

The all_tenants is controlled by policy, so deployments that have configured all_tenants to be admin-only are affected by this.

Changed in python-novaclient:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-novaclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/169952

Changed in python-novaclient:
assignee: nobody → melanie witt (melwitt)
status: Confirmed → In Progress
Revision history for this message
Daniel Wallace (gtmanfred) wrote :

Thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-novaclient (master)

Reviewed: https://review.openstack.org/169952
Committed: https://git.openstack.org/cgit/openstack/python-novaclient/commit/?id=14cada7d0d8518bebbf0705be1a93514f9d7dad4
Submitter: Jenkins
Branch: master

commit 14cada7d0d8518bebbf0705be1a93514f9d7dad4
Author: melanie witt <email address hidden>
Date: Thu Apr 2 00:03:30 2015 +0000

    Add --all-tenants option to 'nova delete'

    Currently, the all_tenants=1 search option is being passed all the
    time for 'nova delete' commands in order to enable 'nova delete' by
    name to work across tenants, for those that have all_tenants access
    in the nova policy.json. This however breaks all 'nova delete' for
    non-admins when policy has been configured to allow only admin to
    list servers across all_tenants.

    This patch changes 'nova delete' to take an option --all-tenants to
    get the functionality to delete by name across tenants. This is
    similar to how 'nova list --all-tenants' works.

    Closes-Bug: #1439381

    Change-Id: I204daaf5c0f4dab7c93ef0bd85ffab3529ca352a

Changed in python-novaclient:
status: In Progress → Fix Committed
Matt Riedemann (mriedem)
Changed in python-novaclient:
milestone: none → 2.25.0
Matt Riedemann (mriedem)
Changed in python-novaclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.