Private flavors can't be used

More information and, very likely, a different bug.

I launched an instance using the private flavor and it worked.
Fine!
So, what I reported when I opened the bug seems to be related to display.

But, if I change the current project (aka tenant), I can still use the flavor that's supposed to be private.

In fact I changed the current user and the current tenant, the latter is NOT associated to the private flavor.

Then I launched an instance indicating the private flavor I created.

$ nova boot testFlavor10Marco1 --image f413b150-48d3-4c50-a265-9711805cce17 --flavor 10

+------------------------+--------------------------------------+
| Property | Value |
+------------------------+--------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | qdsRTn27B7Wb |
| config_drive | |
| created | 2012-11-27T15:18:57Z |
| flavor | myFlavor |
| hostId | |
| id | 8d1ad41a-f3fc-4b39-9a8a-274f3d1f6692 |
| image | cirros-0.3.0-x86_64-disk |
| key_name | None |
| metadata | {} |
| name | testFlavor10Marco1 |
| progress | 0 |
| security_groups | [{u'name': u'default'}] |
| status | BUILD |
| tenant_id | 2648f9f2fa894e2c82d2f29aa1b0fc37 |
| updated | 2012-11-27T15:19:00Z |
| user_id | 3af9666f4e504c65b6b2c3257e8c752d |
+------------------------+--------------------------------------+

The operation succeed but it shouldn't because the tenant I'm using is NOT associated to the private flavor.

Another strange behavior.

I submitted the following command indicating the private flavor I created:

$ nova flavor-show 10
+----------------------------+----------+
| Property | Value |
+----------------------------+----------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 30 |
| extra_specs | {} |
| id | 10 |
| name | myFlavor |
| os-flavor-access:is_public | True |
| ram | 700 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 3 |
+----------------------------+----------+

It's interesting to notice that os-flavor-access:is_public is set to TRUE but, if submit the 'plain' command nova flavor-list, flavor 10 is not displayed (it is not public, as expected). This is also confirmed by looking in mysql DB where I find that flag is_public is set to 0.

Given that, what's the meaning of os-flavor-access:is_public ?

I was albe to replicate this. I was able to create an instance from a NON public flavor I have NO access to.

I'm able to reproduce this.
There is anyone working on it?

Hi, I am very honored to share ideas. i want to prevent other tenants accessing my private flavor, such as these commands nova

flavor-list ,nova flavor-show . We all know that only administrator can run these commands,such as create flavor and

nova flavor-access-add.

codes: (flavors.py)
def show(self, req, id):
    """Return data about the given flavor id."""
    try:
    flavor = instance_types.get_instance_type_by_flavor_id(id)
    context = req.environ['nova.context']
    if not context.is_admin:
        flavors = self._get_flavors(req)
        flavor_is_not = False
        for k in flavors:
            if k.get('flavorid', None) != flavor.get('flavorid', None)\
                               and flavor.get('is_public', None) == False:
                flavor_is_not = True
        if flavor_is_not:
            raise webob.exc.HTTPNotFound()
    req.cache_db_flavor(flavor)
    except exception.NotFound:
        raise webob.exc.HTTPNotFound()

    return self._view_builder.show(req, flavor)

It seems that multiple problems are raised here:

1) $ nova flavor-access-add <flavor_id> <tenant_name>
adds a rule which is never used.
In fact a correct way to add access to a flavor is to use tenant_id instead of tenant_name.
Nova should reject such requests. Novaclient should convert tenant_name to tenant_id as it is done for objects of another types.
But since OS could work with no Keystone, it seems not possible to verify a tenant id, or get a tenant id by a tenant name.

2) An admin role user can run an instance with a flavor which isn't available for the instance tenant.
But the same happens to an image. If the image is private and isn't visible in a tenant, an admin can boot an instnace in the tenant from this image. I guess the same happens for volumes and snapshots as well.
So this looks like a feature and shouldn't be fixed separately from images/volumes/snapshots/etc.

3) A filter by is_public property isn't available for novaclient cli.
The filter was promised by the blueprint.

4) A filter by a tenant isn't available for neither REST nor cli.
The filter was promised by the blueprint.

5) Under some circumstances a private flavor become public.
It's not reproduced for me.

Something else?

The last check was done 1 year ago and this report describes multiple issues at once. There is not enough time to double-check each bug report. I'm closing this one. If you want to work on that, consider opening new bug reports, each one with one single and very specific issue. Otherwise it's not possible to solve them completely.

Hello, @Feodor Tersin (ftersin)

Have you (or your co-worker) distributed the bugs mentioned in #6?
If yes, could you post the link here?

I just found that another bug [1] has mentioned this bug.
And [1]'s duplicated bug [2] has been fixed 3 days ago(2017/5/6)...

Note that, there is a BP [3].

[1]https://bugs.launchpad.net/nova/+bug/1317515
[2]https://bugs.launchpad.net/nova/+bug/1544989
[3]https://blueprints.launchpad.net/nova/+spec/validate-project-with-keystone

Hi. No, i have not. I just posted that comment, nothing more.