OpenStack Dashboard (Horizon)

Volumes, volume snapshots, instance snaphots and keypairs all show cross-tenant info when logged in as admin

Bug #967882 reported by Tres Henry
40
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Jake Dahn
Cinder 2012.2 "folsom"
OpenStack Compute (nova)
Fix Released
Medium
Jake Dahn
OpenStack Compute (nova) 2012.2 "folsom"
OpenStack Dashboard (Horizon)
Fix Released
Medium
Jake Dahn
OpenStack Dashboard (Horizon) 2012.2 "folsom"

Bug Description

It looks like volumes, snapshots and keypairs don't care about a tenant scoped token when authenticated as an admin. This means that each tenant shows all data for those objects. It is also possible to attach a volume from one project to an instance in another project which causes the instance detail page to not render.

Gabriel Hurley (gabriel-hurley)
tags: added: essex-rc-potential
Gabriel Hurley (gabriel-hurley)
Changed in horizon:
status: New → Confirmed
importance: Undecided → Critical
Revision history for this message
Devin Carlen (devcamcar) wrote :

This has been around for a while, but it certainly doesn't make sense from a UX point of view.

Thierry Carrez (ttx)
Changed in nova:
status: New → Incomplete
Thierry Carrez (ttx)
tags: removed: essex-rc-potential
Revision history for this message
Vish Ishaya (vishvananda) wrote :

This should be moved to a blueprint.

Revision history for this message
Tres Henry (tres) wrote :

Registered: https://blueprints.launchpad.net/horizon/+spec/admin-tenant-volumes-snapshots

Feel free to update description if that doesn't make sense.

Revision history for this message
Thierry Carrez (ttx) wrote :

Also at https://blueprints.launchpad.net/nova/+spec/differentiate-admin

Changed in nova:
importance: Undecided → Wishlist
status: Incomplete → Confirmed
Revision history for this message
Devin Carlen (devcamcar) wrote :

@Thierry: This is not a "wishlist" item. This is a serious flaw in the way Nova presents information and behaves differently in some places if an admin flag is present.

To put this in perspective, here is the banner we are having to add to Horizon to warn users of the broken behavior:

http://i.imgur.com/eS2sV.png

The blueprint you linked is marked Medium priority so I updated this bug to reflect that.

Changed in nova:
importance: Wishlist → Medium
Jake Dahn (jakedahn)
Changed in horizon:
assignee: nobody → Jake Dahn (jakedahn)
Changed in nova:
assignee: nobody → Jake Dahn (jakedahn)
Jake Dahn (jakedahn)
Changed in cinder:
assignee: nobody → Jake Dahn (jakedahn)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10750

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/10750
Committed: http://github.com/openstack/cinder/commit/a1b4bd5e86cd865869308c976c6aebf9a4ad23a8
Submitter: Jenkins
Branch: master

commit a1b4bd5e86cd865869308c976c6aebf9a4ad23a8
Author: jakedahn <email address hidden>
Date: Tue Jul 31 16:35:26 2012 -0700

    Admin users should be restricted from seeing all
    volumes by default.

      * Now to view all volumes across all tenants you need
        to include the all_tenants=1 GET param in your api request.
      * Fixes remaining issues blocking bug #967882

    Change-Id: Ie9d74e9c09fa0c192ab6257b5fb02d65b593cbfb

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10799

Changed in cinder:
status: Fix Committed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/10855

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/10855
Committed: http://github.com/openstack/cinder/commit/43626d293739dbe06c7fe26845d17c2e580e62dd
Submitter: Jenkins
Branch: master

commit 43626d293739dbe06c7fe26845d17c2e580e62dd
Author: jakedahn <email address hidden>
Date: Sun Aug 5 14:32:07 2012 -0700

    Admin users should be restricted from seeing all
    snapshots by default.

      * Now to view all snapshots across all tenants you need
        to include the all_tenants=1 GET param in your api request.
      * Fixes remaining issues blocking bug #967882

    Change-Id: I2a8338d77badc70201bb315198183f2091df43fb

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/11107

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/11107
Committed: http://github.com/openstack/nova/commit/8077486b3c15012f4dbf270cd8c9fa3f48cb3d36
Submitter: Jenkins
Branch: master

commit 8077486b3c15012f4dbf270cd8c9fa3f48cb3d36
Author: jakedahn <email address hidden>
Date: Thu Aug 9 14:28:28 2012 -0700

    Default behavior should restrict admins to tenant for volumes.

      * NOTE: This is a port from cinder to nova volumes
      * Now to view all volumes or volume snapshots across
        all tenants you need to include the all_tenants=1
        GET param in your api request.
      * Fixes remaining issues blocking bug #967882

    Change-Id: I7fe15e792b62e59973c7faa2cf1c52929ae5864f

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

Needs confirmation that the downstream fixes take care of the horizon issues. If so, we can resolve this bug by removing the warning banner from the project dashboard.

Changed in horizon:
importance: Critical → Medium
milestone: none → folsom-rc1
status: Confirmed → Triaged
Revision history for this message
Jake Dahn (jakedahn) wrote :

The only thing that has yet to be merged is the novaclient patch, which can be found here: https://review.openstack.org/#/c/11113/, not sure why it hasn't been pushed through - probably just need to nag a few people.

But the changes for Cinder, Nova Volumes, Cinderclient, and an issue that popped up with horizon have all been merged.

Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

So, this is fixed for all the items listed here, except it's not fixed for security groups, which weren't listed here... I've opened a new bug to track that since this one is complete as written. New bug here: https://bugs.launchpad.net/nova/+bug/1046054

Great work on getting all these fixed, though!

Changed in horizon:
status: Triaged → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/13750

Thierry Carrez (ttx)
Changed in cinder:
milestone: folsom-3 → 2012.2
Thierry Carrez (ttx)
Changed in horizon:
milestone: folsom-rc1 → 2012.2
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.