cinder: a member of a uer in any tenant can list and use all volume type created by admin user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I created several types with admin user, created tenants and user which is a member in one of the tenants that I created.
I logged in with the user I created and was able to list and use all types.
I can think of several reasons why we should not allow this, here are two from the top of my head:
1. if we simply manage groups in our company it may cause a problem if a volume created by someone in finance is tagged for someone in support.
2. if I use the type for customers name in a cloud, I may not want every one to see the customer names.
Version-Release number of selected component (if applicable):
openstack-
How reproducible:
100%
Steps to Reproduce:
1. create a type as admin user
2. create a tenant with user which is member
3. log in as the user -> run: cinder type-list
Actual results:
we see all the types and can use them to create a volume
Expected results:
a user should only see types that are assigned to them
Additional info:
as admin:
[root@opens-vdsb ~(keystone_admin)]# cinder type-list
+------
| ID | Name |
+------
| 14587c80-
| af06d9d6-
| bd842e99-
| dd4c04ff-
+------
as user:
[dron@opens-vdsb ~(keystone_admin)]$ cinder type-list
+------
| ID | Name |
+------
| 14587c80-
| af06d9d6-
| bd842e99-
| dd4c04ff-
+------
create as user:
[dron@opens-vdsb ~(keystone_admin)]$ cinder create 10 --volume-type blabla
+------
| Property | Value |
+------
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| created_at | 2013-07-
| display_description | None |
| display_name | None |
| id | 5908f5ba-
| metadata | {} |
| size | 10 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| volume_type | blabla |
+------
[dron@opens-vdsb ~(keystone_admin)]$ cinder list
+------
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+------
| 13603de3-
| 5908f5ba-
| 5c066222-
| 68eca3bb-
| a597c6c3-
+------
Changed in cinder: | |
assignee: | nobody → Vincent Hou (houshengbo) |
Changed in cinder: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | liberty-1 → 7.0.0 |
Haim, this is exactly how volume type behaves. You need to specify the admin name and password to create a volume type and the type is for other users to use.