Yes, I agree with you guys, I'm also OK for non-admin users to list their own instances no matter what status they are.
My question is this: I have done some tests, yet we have 2 different ways to list deleted instances (not counting using changes-since): 1. "GET /v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?status=deleted HTTP/1.1" (nova list --status deleted in CLI) 2. REQ: curl -g -i -X GET http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True (nova list --deleted in CLI) for admin user, we can all get deleted instances(after the fix of Matt's patch). But for non-admin users, #1 is restricted here: https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n350 and it will return 403 error: RESP BODY: {"forbidden": {"message": "Only administrators may list deleted instances", "code": 403}} and for #2 it will strangely return servers that are not in deleted status: DEBUG (connectionpool:387) "GET /v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True HTTP/1.1" 200 3361 DEBUG (session:235) RESP: [200] Content-Length: 3361 X-Compute-Request-Id: req-bd073750-982a-4ef7-864a-a5db03e59a68 Vary: X-OpenStack-Nova-API-Version Connection: keep-alive X-Openstack-Nova-Api-Version: 2.1 Date: Thu, 03 Mar 2016 08:43:17 GMT Content-Type: application/json RESP BODY: {"servers": [{"status": "ACTIVE", "updated": "2016-02-29T06:24:16Z", "hostId": "56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses": {"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version": 4, "addr": "10.0.0.14", "OS-EXT-IPS:type": "fixed"}, {"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version": 6, "addr": "fdb7:5d7b:6dcd:0:f816:3eff:fe4f:1b32", "OS-EXT-IPS:type": "fixed"}]}, "links": [{"href": " http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70";, "rel": "self"}, {"href": " http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70";, "rel": "bookmark"}], "key_name": null, "image": {"id": "6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href": " http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4";, "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at": "2016-02-29T06:24:16.000000", "flavor": {"id": "1", "links": [{"href": " http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1";, "rel": "bookmark"}]}, "id": "ee8907c7-0730-4051-8426-64be44300e70", "security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at": null, "OS-EXT-AZ:availability_zone": "nova", "user_id": "da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created": "2016-02-29T06:24:08Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313", "OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached": [], "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}}, {"status": "ACTIVE", "updated": "2016-02-29T06:21:22Z", "hostId": "56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses": {"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version": 4, "addr": "10.0.0.13", "OS-EXT-IPS:type": "fixed"}, {"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version": 6, "addr": "fdb7:5d7b:6dcd:0:f816:3eff:fe63:b012", "OS-EXT-IPS:type": "fixed"}]}, "links": [{"href": " http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd";, "rel": "self"}, {"href": " http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd";, "rel": "bookmark"}], "key_name": null, "image": {"id": "6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href": " http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4";, "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at": "2016-02-29T06:21:22.000000", "flavor": {"id": "1", "links": [{"href": " http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1";, "rel": "bookmark"}]}, "id": "40bab05f-0692-43df-a8a9-e7c0d58a73bd", "security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at": null, "OS-EXT-AZ:availability_zone": "nova", "user_id": "da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created": "2016-02-29T06:19:51Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313", "OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached": [], "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}}]} I think this is obviously not consistent, I think we can decide what the behavior should be and make them consistent? Yours, Kevin On Thu, Mar 3, 2016 at 3:59 PM, Alex Xu <sou...@gmail.com> wrote: > > > 2016-03-03 2:11 GMT+08:00 Matt Riedemann <mrie...@linux.vnet.ibm.com>: > >> >> >> On 3/2/2016 3:02 AM, Zhenyu Zheng wrote: >> >>> Hi, Nova, >>> >>> While I'm working on add "changes-since" parameter support for >>> python-novaclient "list" CLI. >>> >>> I realized that non-admin can list all deleted instances using >>> "changes-since" parameter. This is reasonable in some level, as delete >>> is an update to instances. But as we have a limitation that when list >>> instances, deleted parameter is only allowed for admin users. >>> >>> This will lead to inconsistent to the rule of show deleted instances, as >>> we limit the list of deleted instances to admin only, but non-admin can >>> get the information using changes-since. >>> >>> Should we fix this? >>> >>> https://bugs.launchpad.net/nova/+bug/1552071 >>> >>> Thanks, >>> >>> Kevin Zheng >>> >>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> Unless I'm missing some use case, I think that listing instances for >> non-admins should be restricted to the instances they own, regardless of >> whether or not they are deleted, period. >> > > agree with this. I didn't see a problem showing the deleted instance for > non-admins. > > >> >> As for listing deleting instances as an admin, that was broken with the >> 2.16 microversion and there is a fix here: >> >> https://review.openstack.org/#/c/283820/ >> >> -- >> >> Thanks, >> >> Matt Riedemann >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
