[Openstack-security] [Bug 1118066] Re: Possible to get and update quotas for nonexistant tenant

Joe Gordon 1118066 at bugs.launchpad.net
Wed Jan 22 02:45:49 UTC 2014 

>"And as an admin (trusted user), we expect them to not break things."
>
>Sorry, I am going to have to disagree with you on this. The interface gives no indication that the request failed to produce the >desired effect. Add to that several facts: many quota-exceeded errors are masked by other quota exceeded error names and end >users will report quota exceeded errors as "my instance failed to start". These all add up to a bad user experience."

Yup, the UX is horrible for this one. can you expand on the error
masking point?

>"This is part of a bigger issue, which is nova doesn't have great RBAC support. Say you want to create a tenant admin who can set >quotas per user."
>
>I don't see how role-based access control is necessary when a simple check "does this string correspond to a real project UUID (or >name if you want to support that)" would suffice.

So nova doesn't keep track of project UUIDs, so this would have to be
implemented as a call out to keystone. So I am not very familiar with
the keystone API but I think you would need to call
v2.0/tenants{/tenantId}  (http://docs.openstack.org/api/openstack-
identity-service/2.0/content/Tenant_Operations.html) to make sure the
tenant is valid or not.


>
>Marking as open for these reasons.

Perhaps opinion was the wrong status, while I agree that there is
something to fix here, I am not sure how you want to change things.  For
this to be confirmed I would like a more explicit explanation of what
the issue is and what the desired outcome should be.  Do you just want
to make sure the tenant is valid? If so I can get behind that, but the
bug description needs some updating.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1118066

Title:
  Possible to get and update quotas for nonexistant tenant

Status in OpenStack Compute (Nova):
  Confirmed

Bug description:
  GET /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist
  returns 200 with the default quotas.

  Moreover
  POST /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist
  with updated quotas succeeds and that metadata is saved!

  I'm not sure if this is a bug or not. I cannot find any documentation
  on this interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1118066/+subscriptions

More information about the Openstack-security mailing list