Re: [openstack-dev] [nova] Non-Admin user can show deleted instances using changes-since parameter when calling list API

[Matt Riedemann]

On 3/3/2016 10:02 AM, Matt Riedemann wrote:


On 3/3/2016 2:55 AM, Zhenyu Zheng wrote:
Yes, I agree with you guys, I'm also OK for non-admin users to list
their own instances no matter what status they are.

My question is this:
I have done some tests, yet we have 2 different ways to list deleted
instances (not counting using changes-since):

1.
"GET
/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?status=deleted
HTTP/1.1"
(nova list --status deleted in CLI)
2. REQ: curl -g -i -X GET
http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True
(nova
list --deleted in CLI)

for admin user, we can all get deleted instances(after the fix of Matt's
patch).

But for non-admin users, #1 is restricted here:
https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n350

and it will return 403 error:
RESP BODY: {"forbidden": {"message": "Only administrators may list
deleted instances", "code": 403}}

This is part of the API so if we were going to allow non-admins to query
for deleted servers using status=deleted, it would have to be a
microversion change. [1] I could also see that being policy-driven.

It does seem odd and inconsistent though that non-admins can't query
with status=deleted but they can query with deleted=True in the query
options.


and for #2 it will strangely return servers that are not in deleted
status:

This seems like a bug. I tried looking for something obvious in the code
but I'm not seeing the issue, I'd suspect something down in the DB API
code that's doing the filtering.


DEBUG (connectionpool:387) "GET
/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True
HTTP/1.1" 200 3361
DEBUG (session:235) RESP: [200] Content-Length: 3361
X-Compute-Request-Id: req-bd073750-982a-4ef7-864a-a5db03e59a68 Vary:
X-OpenStack-Nova-API-Version Connection: keep-alive
X-Openstack-Nova-Api-Version: 2.1 Date: Thu, 03 Mar 2016 08:43:17 GMT
Content-Type: application/json
RESP BODY: {"servers": [{"status": "ACTIVE", "updated":
"2016-02-29T06:24:16Z", "hostId":
"56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses":
{"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version":
4, "addr": "10.0.0.14", "OS-EXT-IPS:type": "fixed"},
{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version": 6, "addr":
"fdb7:5d7b:6dcd:0:f816:3eff:fe4f:1b32", "OS-EXT-IPS:type": "fixed"}]},
"links": [{"href":
"http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70";,

"rel": "self"}, {"href":
"http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70";,

"rel": "bookmark"}], "key_name": null, "image": {"id":
"6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href":
"http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4";,

"rel": "bookmark"}]}, "OS-EXT-STS:task_state": null,
"OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at":
"2016-02-29T06:24:16.000000", "flavor": {"id": "1", "links": [{"href":
"http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1";,
"rel": "bookmark"}]}, "id": "ee8907c7-0730-4051-8426-64be44300e70",
"security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at":
null, "OS-EXT-AZ:availability_zone": "nova", "user_id":
"da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created":
"2016-02-29T06:24:08Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313",
"OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached":
[], "accessIPv4": "", "accessIPv6": "", "progress": 0,
"OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}},
{"status": "ACTIVE", "updated": "2016-02-29T06:21:22Z", "hostId":
"56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses":
{"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version":
4, "addr": "10.0.0.13", "OS-EXT-IPS:type": "fixed"},
{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version": 6, "addr":
"fdb7:5d7b:6dcd:0:f816:3eff:fe63:b012", "OS-EXT-IPS:type": "fixed"}]},
"links": [{"href":
"http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd";,

"rel": "self"}, {"href":
"http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd";,

"rel": "bookmark"}], "key_name": null, "image": {"id":
"6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href":
"http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4";,

"rel": "bookmark"}]}, "OS-EXT-STS:task_state": null,
"OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at":
"2016-02-29T06:21:22.000000", "flavor": {"id": "1", "links": [{"href":
"http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1";,
"rel": "bookmark"}]}, "id": "40bab05f-0692-43df-a8a9-e7c0d58a73bd",
"security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at":
null, "OS-EXT-AZ:availability_zone": "nova", "user_id":
"da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created":
"2016-02-29T06:19:51Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313",
"OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached":
[], "accessIPv4": "", "accessIPv6": "", "progress": 0,
"OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}}]}

I think this is obviously not consistent, I think we can decide what the
behavior should be and make them consistent?

Yours,

Kevin

On Thu, Mar 3, 2016 at 3:59 PM, Alex Xu <sou...@gmail.com
<mailto:sou...@gmail.com>> wrote:



    2016-03-03 2:11 GMT+08:00 Matt Riedemann <mrie...@linux.vnet.ibm.com
    <mailto:mrie...@linux.vnet.ibm.com>>:



        On 3/2/2016 3:02 AM, Zhenyu Zheng wrote:

            Hi, Nova,

            While I'm working on add "changes-since" parameter support
for
            python-novaclient "list" CLI.

            I realized that non-admin can list all deleted instances
using
            "changes-since" parameter. This is reasonable in some level,
            as delete
            is an update to instances. But as we have a limitation that
            when list
            instances, deleted parameter is only allowed for admin users.

            This will lead to inconsistent to the rule of show deleted
            instances, as
            we limit the list of deleted instances to admin only, but
            non-admin can
            get the information using changes-since.

            Should we fix this?

            https://bugs.launchpad.net/nova/+bug/1552071

            Thanks,

            Kevin Zheng



__________________________________________________________________________

            OpenStack Development Mailing List (not for usage questions)
            Unsubscribe:

openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


        Unless I'm missing some use case, I think that listing instances
        for non-admins should be restricted to the instances they own,
        regardless of whether or not they are deleted, period.


    agree with this. I didn't see a problem showing the deleted instance
    for non-admins.


        As for listing deleting instances as an admin, that was broken
        with the 2.16 microversion and there is a fix here:

        https://review.openstack.org/#/c/283820/

        --

        Thanks,

        Matt Riedemann



__________________________________________________________________________

        OpenStack Development Mailing List (not for usage questions)
        Unsubscribe:
        openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________

    OpenStack Development Mailing List (not for usage questions)
    Unsubscribe:
    openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


[1]
https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py?id=3a0e5f985fdd4b067d68450360cf62d57e82ecb2#n355



I confirmed what you're seeing [1].  A non-admin can use `nova list 
--deleted` and it's not an error but non-deleted instances are returned. 
 But a non-admin can't use `nova list --status=deleted` because only 
admins can perform that operation since the REST API code explicitly 
checks the context.

[1] https://gist.github.com/mriedem/1299a15007e413ff646a

--

Thanks,

Matt Riedemann


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev