[Openstack-security] [Bug 1118066] Re: Possible to get and update quotas for nonexistant tenant
Scott Devoid
devoid at anl.gov
Wed Jan 22 01:25:17 UTC 2014
"And as an admin (trusted user), we expect them to not break things."
Sorry, I am going to have to disagree with you on this. The interface
gives no indication that the request failed to produce the desired
effect. Add to that several facts: many quota-exceeded errors are
masked by other quota exceeded error names and end users will report
quota exceeded errors as "my instance failed to start". These all add up
to a bad user experience.
"This is part of a bigger issue, which is nova doesn't have great RBAC
support. Say you want to create a tenant admin who can set quotas per
user."
I don't see how role-based access control is necessary when a simple
check "does this string correspond to a real project UUID (or name if
you want to support that)" would suffice.
Marking as open for these reasons.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1118066
Title:
Possible to get and update quotas for nonexistant tenant
Status in OpenStack Compute (Nova):
Confirmed
Bug description:
GET /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist
returns 200 with the default quotas.
Moreover
POST /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist
with updated quotas succeeds and that metadata is saved!
I'm not sure if this is a bug or not. I cannot find any documentation
on this interface.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1118066/+subscriptions
More information about the Openstack-security
mailing list