[openstack-dev] [nova] Non-Admin user can show deleted instances using changes-since parameter when calling list API

Alex Xu soulxu at gmail.com
Thu Mar 3 07:59:56 UTC 2016 

2016-03-03 2:11 GMT+08:00 Matt Riedemann <mriedem at linux.vnet.ibm.com>:

>
>
> On 3/2/2016 3:02 AM, Zhenyu Zheng wrote:
>
>> Hi, Nova,
>>
>> While I'm working on add "changes-since" parameter support for
>> python-novaclient "list" CLI.
>>
>> I realized that non-admin can list all deleted instances using
>> "changes-since" parameter. This is reasonable in some level, as delete
>> is an update to instances. But as we have a limitation that when list
>> instances, deleted parameter is only allowed for admin users.
>>
>> This will lead to inconsistent to the rule of show deleted instances, as
>> we limit the list of deleted instances to admin only, but non-admin can
>> get the information using changes-since.
>>
>> Should we fix this?
>>
>> https://bugs.launchpad.net/nova/+bug/1552071
>>
>> Thanks,
>>
>> Kevin Zheng
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> Unless I'm missing some use case, I think that listing instances for
> non-admins should be restricted to the instances they own, regardless of
> whether or not they are deleted, period.
>

agree with this. I didn't see a problem showing the deleted instance for
non-admins.


>
> As for listing deleting instances as an admin, that was broken with the
> 2.16 microversion and there is a fix here:
>
> https://review.openstack.org/#/c/283820/
>
> --
>
> Thanks,
>
> Matt Riedemann
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160303/5eddc542/attachment.html>

More information about the OpenStack-dev mailing list