Public bug reported:
The nova API specifies that listing instances by user_id is an admin-
only function.
A non-admin user can view the details of an instance and find the owner,
so locking this down doesn't make much sense. In a project with many
users, it would be very useful for a user to, at a minimum, list his/her
own instances.
The following is run as a non-admin user. Note that user_id is shown in
the instance details.
$ openstack server list | grep centos-test
| 7c14482f-b343-4d0b-944f-b745e9f36451 | centos-test | BUILD
| | centos7 | m1.medium |
$ openstack server show 7c14482f-b343-4d0b-944f-b745e9f36451
+-----------------------------+----------------------------------------------------------+
| Field | Value
|
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-STS:power_state | Running
|
| OS-EXT-STS:task_state | None
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2019-04-12T18:58:51.000000
|
| OS-SRV-USG:terminated_at | None
|
| accessIPv4 |
|
| accessIPv6 |
|
| addresses | public1=172.17.16.153
|
| config_drive |
|
| created | 2019-04-12T18:58:35Z
|
| flavor | m1.medium (3)
|
| hostId |
0328a6e11b0beb43709e011a5fcaa8fccbf494bfa70d07245b5ca356 |
| id | 7c14482f-b343-4d0b-944f-b745e9f36451
|
| image | centos7 (84ffbd43-9752-4105-a6a8-e260d000f90c)
|
| key_name | sjohnson
|
| name | centos-test
|
| progress | 0
|
| project_id | 6fda22d1af7442aab0b0dc0b7939dfba
|
| properties |
|
| security_groups | name='default'
|
| status | ACTIVE
|
| updated | 2019-04-12T18:58:51Z
|
| user_id | c6e2da4261e34aad95b077ccff7e9e2e
|
| volumes_attached |
|
+-----------------------------+----------------------------------------------------------+
If there is a good use case for disabling the user filter, can we at
least create a policy item to unlock the functionality?
Steps to reproduce
==================
As a non-admin user, run:
$ openstack server list --user <userid or name>
Expected result
===============
Show instances for the specified user
Actual result
=============
All instances for the tenant are shown.
Environment
===========
Release: OpenStack Rocky
Hypervisor: Libvirt + KVM
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1824576
Title:
Non-admin users should be able to filter instances by user_id
Status in OpenStack Compute (nova):
New
Bug description:
The nova API specifies that listing instances by user_id is an admin-
only function.
A non-admin user can view the details of an instance and find the
owner, so locking this down doesn't make much sense. In a project
with many users, it would be very useful for a user to, at a minimum,
list his/her own instances.
The following is run as a non-admin user. Note that user_id is shown
in the instance details.
$ openstack server list | grep centos-test
| 7c14482f-b343-4d0b-944f-b745e9f36451 | centos-test | BUILD
| | centos7 | m1.medium
|
$ openstack server show 7c14482f-b343-4d0b-944f-b745e9f36451
+-----------------------------+----------------------------------------------------------+
| Field | Value
|
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL
|
| OS-EXT-AZ:availability_zone | nova
|
| OS-EXT-STS:power_state | Running
|
| OS-EXT-STS:task_state | None
|
| OS-EXT-STS:vm_state | active
|
| OS-SRV-USG:launched_at | 2019-04-12T18:58:51.000000
|
| OS-SRV-USG:terminated_at | None
|
| accessIPv4 |
|
| accessIPv6 |
|
| addresses | public1=172.17.16.153
|
| config_drive |
|
| created | 2019-04-12T18:58:35Z
|
| flavor | m1.medium (3)
|
| hostId |
0328a6e11b0beb43709e011a5fcaa8fccbf494bfa70d07245b5ca356 |
| id | 7c14482f-b343-4d0b-944f-b745e9f36451
|
| image | centos7
(84ffbd43-9752-4105-a6a8-e260d000f90c) |
| key_name | sjohnson
|
| name | centos-test
|
| progress | 0
|
| project_id | 6fda22d1af7442aab0b0dc0b7939dfba
|
| properties |
|
| security_groups | name='default'
|
| status | ACTIVE
|
| updated | 2019-04-12T18:58:51Z
|
| user_id | c6e2da4261e34aad95b077ccff7e9e2e
|
| volumes_attached |
|
+-----------------------------+----------------------------------------------------------+
If there is a good use case for disabling the user filter, can we at
least create a policy item to unlock the functionality?
Steps to reproduce
==================
As a non-admin user, run:
$ openstack server list --user <userid or name>
Expected result
===============
Show instances for the specified user
Actual result
=============
All instances for the tenant are shown.
Environment
===========
Release: OpenStack Rocky
Hypervisor: Libvirt + KVM
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1824576/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
