[openstack-dev] [nova] Non-Admin user can show deleted instances using changes-since parameter when calling list API
Matt Riedemann
mriedem at linux.vnet.ibm.com
Wed Mar 2 18:11:50 UTC 2016
On 3/2/2016 3:02 AM, Zhenyu Zheng wrote:
> Hi, Nova,
>
> While I'm working on add "changes-since" parameter support for
> python-novaclient "list" CLI.
>
> I realized that non-admin can list all deleted instances using
> "changes-since" parameter. This is reasonable in some level, as delete
> is an update to instances. But as we have a limitation that when list
> instances, deleted parameter is only allowed for admin users.
>
> This will lead to inconsistent to the rule of show deleted instances, as
> we limit the list of deleted instances to admin only, but non-admin can
> get the information using changes-since.
>
> Should we fix this?
>
> https://bugs.launchpad.net/nova/+bug/1552071
>
> Thanks,
>
> Kevin Zheng
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
Unless I'm missing some use case, I think that listing instances for
non-admins should be restricted to the instances they own, regardless of
whether or not they are deleted, period.
As for listing deleting instances as an admin, that was broken with the
2.16 microversion and there is a fix here:
https://review.openstack.org/#/c/283820/
--
Thanks,
Matt Riedemann
More information about the OpenStack-dev
mailing list