Cinder

cinder: a member of a uer in any tenant can list and use all volume type created by admin user

Bug #1214747 reported by Haim Ateya
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Unassigned
Cinder 7.0.0 "liberty"

Bug Description

I created several types with admin user, created tenants and user which is a member in one of the tenants that I created.
I logged in with the user I created and was able to list and use all types.

I can think of several reasons why we should not allow this, here are two from the top of my head:

1. if we simply manage groups in our company it may cause a problem if a volume created by someone in finance is tagged for someone in support.
2. if I use the type for customers name in a cloud, I may not want every one to see the customer names.

Version-Release number of selected component (if applicable):

openstack-cinder-2013.1.2-3.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. create a type as admin user
2. create a tenant with user which is member
3. log in as the user -> run: cinder type-list

Actual results:

we see all the types and can use them to create a volume

Expected results:

a user should only see types that are assigned to them

Additional info:

as admin:

[root@opens-vdsb ~(keystone_admin)]# cinder type-list
+--------------------------------------+--------+
| ID | Name |
+--------------------------------------+--------+
| 14587c80-c106-42c7-93ed-2ceaa98f8eae | bla |
| af06d9d6-23e1-4016-b5f9-ac5df4772c68 | blabla |
| bd842e99-fba0-4fb9-9f04-83ebed28aa59 | dafna |
| dd4c04ff-d3f5-4bba-92fa-c2d2cdc18660 | lvm |
+--------------------------------------+--------+

as user:

[dron@opens-vdsb ~(keystone_admin)]$ cinder type-list
+--------------------------------------+--------+
| ID | Name |
+--------------------------------------+--------+
| 14587c80-c106-42c7-93ed-2ceaa98f8eae | bla |
| af06d9d6-23e1-4016-b5f9-ac5df4772c68 | blabla |
| bd842e99-fba0-4fb9-9f04-83ebed28aa59 | dafna |
| dd4c04ff-d3f5-4bba-92fa-c2d2cdc18660 | lvm |
+--------------------------------------+--------+

create as user:

[dron@opens-vdsb ~(keystone_admin)]$ cinder create 10 --volume-type blabla
+---------------------+--------------------------------------+
| Property | Value |
+---------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| created_at | 2013-07-23T11:29:18.437476 |
| display_description | None |
| display_name | None |
| id | 5908f5ba-489a-4364-b280-346381cb3c2e |
| metadata | {} |
| size | 10 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| volume_type | blabla |
+---------------------+--------------------------------------+
[dron@opens-vdsb ~(keystone_admin)]$ cinder list
+--------------------------------------+-----------+--------------+------+-------------+----------+-------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+--------------+------+-------------+----------+-------------+
| 13603de3-8435-4c37-9283-16a61c7bb4c7 | available | bla | 10 | bla | false | |
| 5908f5ba-489a-4364-b280-346381cb3c2e | available | None | 10 | blabla | false | |
| 5c066222-b8a9-4990-9d88-b1190aaf2d14 | available | None | 10 | blabla | false | |
| 68eca3bb-61d2-4031-bdeb-8eea28232dd8 | error | bbhb | 10 | dafna | false | |
| a597c6c3-3966-4675-94c2-00a335da2114 | available | bhbh | 10 | bla | false | |
+--------------------------------------+-----------+--------------+------+-------------+----------+-------------+

Vincent Hou (houshengbo)
Changed in cinder:
assignee: nobody → Vincent Hou (houshengbo)
Revision history for this message
Vincent Hou (houshengbo) wrote :

Haim, this is exactly how volume type behaves. You need to specify the admin name and password to create a volume type and the type is for other users to use.

Changed in cinder:
assignee: Vincent Hou (houshengbo) → nobody
Revision history for this message
Vincent Hou (houshengbo) wrote :

You can read https://docs.google.com/document/d/1UJO7CvqiqgD1GdXgLLspC8TGG_YxuhH5QXExK2oEL30/edit?pli=1

Changed in cinder:
status: New → Incomplete
Revision history for this message
Ed Balduf (ebalduf) wrote :

This was implemented in Kilo. The Specification for the change is here https://git.openstack.org/cgit/openstack/cinder-specs/tree/specs/kilo/private-volume-types.rst and the commits are 6c0f50b1ec933a61b84d806e748afd9cb74e5cd7 and 6f8c235a92b683448d4afbc96f3f4711a96fab8f

Changed in cinder:
status: Incomplete → Fix Committed
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: liberty-1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.