
<div dir="ltr">Yes, so you are suggest fixing the return data of non-admin user use 'nova list --deleted' but leave non-admin using 'nova list --status=deleted' as is. Or it would be better to also submit a BP for next cycle to add support for non-admin using '--status=deleted' with microversions. Because in my opinion, if we allow non-admin use "nova list --deleted", there will be no reason for us to limit the use of "--status=deleted".</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 4, 2016 at 12:37 AM, Matt Riedemann <span dir="ltr"><<a href="mailto:mriedem@linux.vnet.ibm.com" target="_blank">mriedem@linux.vnet.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>

<br>

On 3/3/2016 10:02 AM, Matt Riedemann wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<br>

<br>

On 3/3/2016 2:55 AM, Zhenyu Zheng wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Yes, I agree with you guys, I'm also OK for non-admin users to list<br>

their own instances no matter what status they are.<br>

<br>

My question is this:<br>

I have done some tests, yet we have 2 different ways to list deleted<br>

instances (not counting using changes-since):<br>

<br>

1.<br>

"GET<br>

/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?status=deleted<br>

HTTP/1.1"<br>

(nova list --status deleted in CLI)<br>

2. REQ: curl -g -i -X GET<br>

<a href="http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True" rel="noreferrer" target="_blank">http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True</a><br>

(nova<br>

list --deleted in CLI)<br>

<br>

for admin user, we can all get deleted instances(after the fix of Matt's<br>

patch).<br>

<br>

But for non-admin users, #1 is restricted here:<br>

<a href="https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n350" rel="noreferrer" target="_blank">https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n350</a><br>

<br>

and it will return 403 error:<br>

RESP BODY: {"forbidden": {"message": "Only administrators may list<br>

deleted instances", "code": 403}}<br>

</blockquote>

<br>

This is part of the API so if we were going to allow non-admins to query<br>

for deleted servers using status=deleted, it would have to be a<br>

microversion change. [1] I could also see that being policy-driven.<br>

<br>

It does seem odd and inconsistent though that non-admins can't query<br>

with status=deleted but they can query with deleted=True in the query<br>

options.<br>

<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<br>

and for #2 it will strangely return servers that are not in deleted<br>

status:<br>

</blockquote>

<br>

This seems like a bug. I tried looking for something obvious in the code<br>

but I'm not seeing the issue, I'd suspect something down in the DB API<br>

code that's doing the filtering.<br>

<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<br>

DEBUG (connectionpool:387) "GET<br>

/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/detail?deleted=True<br>

HTTP/1.1" 200 3361<br>

DEBUG (session:235) RESP: [200] Content-Length: 3361<br>

X-Compute-Request-Id: req-bd073750-982a-4ef7-864a-a5db03e59a68 Vary:<br>

X-OpenStack-Nova-API-Version Connection: keep-alive<br>

X-Openstack-Nova-Api-Version: 2.1 Date: Thu, 03 Mar 2016 08:43:17 GMT<br>

Content-Type: application/json<br>

RESP BODY: {"servers": [{"status": "ACTIVE", "updated":<br>

"2016-02-29T06:24:16Z", "hostId":<br>

"56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses":<br>

{"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version":<br>

4, "addr": "10.0.0.14", "OS-EXT-IPS:type": "fixed"},<br>

{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:4f:1b:32", "version": 6, "addr":<br>

"fdb7:5d7b:6dcd:0:f816:3eff:fe4f:1b32", "OS-EXT-IPS:type": "fixed"}]},<br>

"links": [{"href":<br>

"<a href="http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70" rel="noreferrer" target="_blank">http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70</a>",<br>

<br>

"rel": "self"}, {"href":<br>

"<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70" rel="noreferrer" target="_blank">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/ee8907c7-0730-4051-8426-64be44300e70</a>",<br>

<br>

"rel": "bookmark"}], "key_name": null, "image": {"id":<br>

"6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href":<br>

"<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4" rel="noreferrer" target="_blank">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4</a>",<br>

<br>

"rel": "bookmark"}]}, "OS-EXT-STS:task_state": null,<br>

"OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at":<br>

"2016-02-29T06:24:16.000000", "flavor": {"id": "1", "links": [{"href":<br>

"<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1" rel="noreferrer" target="_blank">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1</a>",<br>

"rel": "bookmark"}]}, "id": "ee8907c7-0730-4051-8426-64be44300e70",<br>

"security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at":<br>

null, "OS-EXT-AZ:availability_zone": "nova", "user_id":<br>

"da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created":<br>

"2016-02-29T06:24:08Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313",<br>

"OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached":<br>

[], "accessIPv4": "", "accessIPv6": "", "progress": 0,<br>

"OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}},<br>

{"status": "ACTIVE", "updated": "2016-02-29T06:21:22Z", "hostId":<br>

"56b12284bb4d1da6cbd066d15e17df252dac1f0dc6c81a74bf0634b7", "addresses":<br>

{"private": [{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version":<br>

4, "addr": "10.0.0.13", "OS-EXT-IPS:type": "fixed"},<br>

{"OS-EXT-IPS-MAC:mac_addr": "fa:16:3e:63:b0:12", "version": 6, "addr":<br>

"fdb7:5d7b:6dcd:0:f816:3eff:fe63:b012", "OS-EXT-IPS:type": "fixed"}]},<br>

"links": [{"href":<br>

"<a href="http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd" rel="noreferrer" target="_blank">http://10.229.45.17:8774/v2.1/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd</a>",<br>

<br>

"rel": "self"}, {"href":<br>

"<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd" rel="noreferrer" target="_blank">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/servers/40bab05f-0692-43df-a8a9-e7c0d58a73bd</a>",<br>

<br>

"rel": "bookmark"}], "key_name": null, "image": {"id":<br>

"6455625c-a68d-4bd3-ac2e-07382ac5cbf4", "links": [{"href":<br>

"<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4" rel="noreferrer" target="_blank">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/images/6455625c-a68d-4bd3-ac2e-07382ac5cbf4</a>",<br>

<br>

"rel": "bookmark"}]}, "OS-EXT-STS:task_state": null,<br>

"OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at":<br>

"2016-02-29T06:21:22.000000", "flavor": {"id": "1", "links": [{"href":<br>

"<a href="http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1" rel="noreferrer" target="_blank">http://10.229.45.17:8774/62bfb653eb0d4d5cabdf635dd8181313/flavors/1</a>",<br>

"rel": "bookmark"}]}, "id": "40bab05f-0692-43df-a8a9-e7c0d58a73bd",<br>

"security_groups": [{"name": "default"}], "OS-SRV-USG:terminated_at":<br>

null, "OS-EXT-AZ:availability_zone": "nova", "user_id":<br>

"da935c024dc1444abb7b32390eac4e0b", "name": "test_inject", "created":<br>

"2016-02-29T06:19:51Z", "tenant_id": "62bfb653eb0d4d5cabdf635dd8181313",<br>

"OS-DCF:diskConfig": "MANUAL", "os-extended-volumes:volumes_attached":<br>

[], "accessIPv4": "", "accessIPv6": "", "progress": 0,<br>

"OS-EXT-STS:power_state": 1, "config_drive": "True", "metadata": {}}]}<br>

<br>

I think this is obviously not consistent, I think we can decide what the<br>

behavior should be and make them consistent?<br>

<br>

Yours,<br>

<br>

Kevin<br>

<br>

On Thu, Mar 3, 2016 at 3:59 PM, Alex Xu <<a href="mailto:soulxu@gmail.com" target="_blank">soulxu@gmail.com</a><br>

<mailto:<a href="mailto:soulxu@gmail.com" target="_blank">soulxu@gmail.com</a>>> wrote:<br>

<br>

<br>

<br>

    2016-03-03 2:11 GMT+08:00 Matt Riedemann <<a href="mailto:mriedem@linux.vnet.ibm.com" target="_blank">mriedem@linux.vnet.ibm.com</a><br>

    <mailto:<a href="mailto:mriedem@linux.vnet.ibm.com" target="_blank">mriedem@linux.vnet.ibm.com</a>>>:<br>

<br>

<br>

<br>

        On 3/2/2016 3:02 AM, Zhenyu Zheng wrote:<br>

<br>

            Hi, Nova,<br>

<br>

            While I'm working on add "changes-since" parameter support<br>

for<br>

            python-novaclient "list" CLI.<br>

<br>

            I realized that non-admin can list all deleted instances<br>

using<br>

            "changes-since" parameter. This is reasonable in some level,<br>

            as delete<br>

            is an update to instances. But as we have a limitation that<br>

            when list<br>

            instances, deleted parameter is only allowed for admin users.<br>

<br>

            This will lead to inconsistent to the rule of show deleted<br>

            instances, as<br>

            we limit the list of deleted instances to admin only, but<br>

            non-admin can<br>

            get the information using changes-since.<br>

<br>

            Should we fix this?<br>

<br>

            <a href="https://bugs.launchpad.net/nova/+bug/1552071" rel="noreferrer" target="_blank">https://bugs.launchpad.net/nova/+bug/1552071</a><br>

<br>

            Thanks,<br>

<br>

            Kevin Zheng<br>

<br>

<br>

<br>

__________________________________________________________________________<br>

<br>

            OpenStack Development Mailing List (not for usage questions)<br>

            Unsubscribe:<br>

<br>

<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br>

<br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

<br>

        Unless I'm missing some use case, I think that listing instances<br>

        for non-admins should be restricted to the instances they own,<br>

        regardless of whether or not they are deleted, period.<br>

<br>

<br>

    agree with this. I didn't see a problem showing the deleted instance<br>

    for non-admins.<br>

<br>

<br>

        As for listing deleting instances as an admin, that was broken<br>

        with the 2.16 microversion and there is a fix here:<br>

<br>

        <a href="https://review.openstack.org/#/c/283820/" rel="noreferrer" target="_blank">https://review.openstack.org/#/c/283820/</a><br>

<br>

        --<br>

<br>

        Thanks,<br>

<br>

        Matt Riedemann<br>

<br>

<br>

<br>

__________________________________________________________________________<br>

<br>

        OpenStack Development Mailing List (not for usage questions)<br>

        Unsubscribe:<br>

        <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<br>

<<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br>

        <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

<br>

<br>

<br>

__________________________________________________________________________<br>

<br>

    OpenStack Development Mailing List (not for usage questions)<br>

    Unsubscribe:<br>

    <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<br>

<<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br>

    <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

<br>

<br>

<br>

__________________________________________________________________________<br>

<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe:<br>

<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

</blockquote>

<br>

[1]<br>

<a href="https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py?id=3a0e5f985fdd4b067d68450360cf62d57e82ecb2#n355" rel="noreferrer" target="_blank">https://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py?id=3a0e5f985fdd4b067d68450360cf62d57e82ecb2#n355</a><br>

<br>

<br>

</blockquote>

<br></div></div>

I confirmed what you're seeing [1].  A non-admin can use `nova list --deleted` and it's not an error but non-deleted instances are returned.  But a non-admin can't use `nova list --status=deleted` because only admins can perform that operation since the REST API code explicitly checks the context.<br>

<br>

[1] <a href="https://gist.github.com/mriedem/1299a15007e413ff646a" rel="noreferrer" target="_blank">https://gist.github.com/mriedem/1299a15007e413ff646a</a><div class="HOEnZb"><div class="h5"><br>

<br>

-- <br>

<br>

Thanks,<br>

<br>

Matt Riedemann<br>

<br>

<br>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</div></div></blockquote></div><br></div>