<div dir="ltr">Yes, I agree with you guys, I'm also OK for non-admin users to list their own instances no matter what status they are.<div><br></div><div>My question is this:</div><div>I have done some tests, yet we have 2 different ways to list deleted instances (not counting using changes-since):</div><div><br></div><div>1. <span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">"GET /v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?status=deleted HTTP/1.1" (nova list --status deleted in CLI)</span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">2. </span><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">REQ: curl -g -i -X GET </span><a href="http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True" style="font-family:微软雅黑;font-size:14px;line-height:21px">http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True</a><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"> (nova list --deleted in CLI)</span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">for admin user, we can all get deleted instances(after the fix of Matt's patch).</span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">But for non-admin users, #1 is restricted here:</span></div><div><font color="#000000" face="微软雅黑"><span style="font-size:14px;line-height:21px"><a href="https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n350">https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n350</a></span></font><br></div><div><font color="#000000" face="微软雅黑"><span style="font-size:14px;line-height:21px">and it will return 403 error:</span></font></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">RESP BODY: {"forbidden": {"message": "Only administrators may list deleted instances", "code": 403}}</span><font color="#000000" face="微软雅黑"><span style="font-size:14px;line-height:21px"><br></span></font></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">and for #2 it will strangely return servers that are not in deleted status:</span></div><div><span style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></span></div><div><div style=""><font color="#000000" face="微软雅黑"><span style="font-size:14px;line-height:21px">DEBUG (connectionpool:387) "GET /v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True HTTP/1.1" 200 3361</span></font></div><div style=""><font color="#000000" face="微软雅黑"><span style="font-size:14px;line-height:21px">DEBUG (session:235) RESP: [200] Content-Length: 3361 X-Compute-Request-Id: req-bd073750-982a-4ef7-864a-a5db03e59a68 Vary: X-OpenStack-Nova-API-Version Connection: keep-alive X-Openstack-Nova-Api-Version: 2.1 Date: Thu, 03 Mar 2016 08:43:17 GMT Content-Type: application/json </span></font></div><div style=""><font color="#000000" face="微软雅黑"><span style="font-size:14px;line-height:21px">RESP BODY: {"servers": [{"status": "ACTIVE", "updated": "2016-02-29T06:24:16Z", "hostId": "56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses": {"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version": 4, "addr": "10.0.0.14", "OS-EXT-IPS:type": "fixed"}, {"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version": 6, "addr": "fdb7:5d7b:6dcd:0:f816:3eff:fe4f:1b32", "OS-EXT-IPS:type": "fixed"}]}, "links": [{"href": "<a href="http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70">http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70</a>", "rel": "self"}, {"href": "<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70</a>", "rel": "bookmark"}], "key_name": null, "image": {"id": "6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href": "<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4</a>", "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at": "2016-02-29T06:24:16.000000", "flavor": {"id": "1", "links": [{"href": "<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1</a>", "rel": "bookmark"}]}, "id": "ee8907c7-0730-4051-8426-64be44300e70", "security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at": null, "OS-EXT-AZ:availability_zone": "nova", "user_id": "da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created": "2016-02-29T06:24:08Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313", "OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached": [], "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}}, {"status": "ACTIVE", "updated": "2016-02-29T06:21:22Z", "hostId": "56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses": {"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version": 4, "addr": "10.0.0.13", "OS-EXT-IPS:type": "fixed"}, {"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version": 6, "addr": "fdb7:5d7b:6dcd:0:f816:3eff:fe63:b012", "OS-EXT-IPS:type": "fixed"}]}, "links": [{"href": "<a href="http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd">http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd</a>", "rel": "self"}, {"href": "<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd</a>", "rel": "bookmark"}], "key_name": null, "image": {"id": "6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href": "<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4</a>", "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at": "2016-02-29T06:21:22.000000", "flavor": {"id": "1", "links": [{"href": "<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1</a>", "rel": "bookmark"}]}, "id": "40bab05f-0692-43df-a8a9-e7c0d58a73bd", "security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at": null, "OS-EXT-AZ:availability_zone": "nova", "user_id": "da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created": "2016-02-29T06:19:51Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313", "OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached": [], "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}}]}</span></font></div><div style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></div></div><div style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">I think this is obviously not consistent, I think we can decide what the behavior should be and make them consistent?</div><div style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></div><div style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">Yours,</div><div style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px"><br></div><div style="color:rgb(0,0,0);font-family:微软雅黑;font-size:14px;line-height:21px">Kevin</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 3, 2016 at 3:59 PM, Alex Xu <span dir="ltr"><<a href="mailto:soulxu@gmail.com" target="_blank">soulxu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">2016-03-03 2:11 GMT+08:00 Matt Riedemann <span dir="ltr"><<a href="mailto:mriedem@linux.vnet.ibm.com" target="_blank">mriedem@linux.vnet.ibm.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><br>
<br>
On 3/2/2016 3:02 AM, Zhenyu Zheng wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
Hi, Nova,<br>
<br>
While I'm working on add "changes-since" parameter support for<br>
python-novaclient "list" CLI.<br>
<br>
I realized that non-admin can list all deleted instances using<br>
"changes-since" parameter. This is reasonable in some level, as delete<br>
is an update to instances. But as we have a limitation that when list<br>
instances, deleted parameter is only allowed for admin users.<br>
<br>
This will lead to inconsistent to the rule of show deleted instances, as<br>
we limit the list of deleted instances to admin only, but non-admin can<br>
get the information using changes-since.<br>
<br>
Should we fix this?<br>
<br>
<a href="https://bugs.launchpad.net/nova/+bug/1552071" rel="noreferrer" target="_blank">https://bugs.launchpad.net/nova/+bug/1552071</a><br>
<br>
Thanks,<br>
<br>
Kevin Zheng<br>
<br>
<br></div></div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
<br>
Unless I'm missing some use case, I think that listing instances for non-admins should be restricted to the instances they own, regardless of whether or not they are deleted, period.<br></blockquote><div><br></div></span><div>agree with this. I didn't see a problem showing the deleted instance for non-admins.</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
As for listing deleting instances as an admin, that was broken with the 2.16 microversion and there is a fix here:<br>
<br>
<a href="https://review.openstack.org/#/c/283820/" rel="noreferrer" target="_blank">https://review.openstack.org/#/c/283820/</a><span><font color="#888888"><br>
<br>
-- <br>
<br>
Thanks,<br>
<br>
Matt Riedemann<br>
<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</font></span></blockquote></span></div><br></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>