OpenStack Dashboard (Horizon)

admin is getting: You are not allowed to terminate instances

Bug #1370088 reported by Dafna Ron
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
Low
Unassigned

Bug Description

I am getting a permission error on deleting of instances as user admin:

Error: You are not allowed to terminate instances: Dafna-763bb301-33da-47d2-bb90-e83edb1199f1, Dafna-c8c9e379-8c1c-40fd-a7a9-f57cfeed072d, Dafna-ab9aae09-d551-453c-b2ed-d40ba97a78dc, Dafna-04267001-c7f2-4b74-ba81-f26f7846294d, Dafna-a44b71a0-b4f2-4223-a0ac-e84c094ce23f, Dafna-a6fdb7aa-14ed-4b60-90c0-f144fc4eaf87, Dafna-37795fc3-1d1a-40bb-9290-92f5938d017e, Dafna-2defb0fa-5057-4cb7-b60d-bdf69629af85, Dafna-6b05e4f8-4b5f-4125-93ab-4cc4082116bb, Dafna-49f6e328-9384-465b-b7b9-af51ae555c17

the instances in nova list did change to deleting and after a while were actually deleted.
It took two UI refreshes to show the correct list

root@tigris01 ~(keystone_admin)]# nova list
+--------------------------------------+--------------------------------------------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+--------------------------------------------+--------+------------+-------------+----------+
| 04267001-c7f2-4b74-ba81-f26f7846294d | Dafna-04267001-c7f2-4b74-ba81-f26f7846294d | BUILD | deleting | NOSTATE | |
| 2defb0fa-5057-4cb7-b60d-bdf69629af85 | Dafna-2defb0fa-5057-4cb7-b60d-bdf69629af85 | BUILD | deleting | NOSTATE | |
| 37795fc3-1d1a-40bb-9290-92f5938d017e | Dafna-37795fc3-1d1a-40bb-9290-92f5938d017e | BUILD | deleting | NOSTATE | |
| 49f6e328-9384-465b-b7b9-af51ae555c17 | Dafna-49f6e328-9384-465b-b7b9-af51ae555c17 | BUILD | deleting | NOSTATE | |
| 6b05e4f8-4b5f-4125-93ab-4cc4082116bb | Dafna-6b05e4f8-4b5f-4125-93ab-4cc4082116bb | BUILD | deleting | NOSTATE | |
| 763bb301-33da-47d2-bb90-e83edb1199f1 | Dafna-763bb301-33da-47d2-bb90-e83edb1199f1 | BUILD | deleting | NOSTATE | |
| a44b71a0-b4f2-4223-a0ac-e84c094ce23f | Dafna-a44b71a0-b4f2-4223-a0ac-e84c094ce23f | BUILD | deleting | NOSTATE | |
| a6fdb7aa-14ed-4b60-90c0-f144fc4eaf87 | Dafna-a6fdb7aa-14ed-4b60-90c0-f144fc4eaf87 | BUILD | deleting | NOSTATE | |
| ab9aae09-d551-453c-b2ed-d40ba97a78dc | Dafna-ab9aae09-d551-453c-b2ed-d40ba97a78dc | BUILD | deleting | NOSTATE | |
| c8c9e379-8c1c-40fd-a7a9-f57cfeed072d | Dafna-c8c9e379-8c1c-40fd-a7a9-f57cfeed072d | BUILD | deleting | NOSTATE | |
+--------------------------------------+--------------------------------------------+--------+------------+-------------+----------+

[root@tigris01 ~(keystone_admin)]# nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+
[root@tigris01 ~(keystone_admin)]#

here is grep on one of the instances from the logs:

http://fpaste.org/133921/

Tags: nova
Gary W. Smith (gary-w-smith)
tags: added: nova
Revision history for this message
Gary W. Smith (gary-w-smith) wrote :

Can you elaborate further on the steps to reproduce this behavior? It appears from the listing that it involves bulk launching of instances as one user and attempting to terminate them (possibly repeatedly?) as the admin before they are launched, but it is unclear.
I tried to reproduce this by logging in as the demo user in the demo project and launching 5 instances; while they were still coming up, I logged in as admin and was able to successfully terminate them from the Admin > Instances page while some were still launching and others were active.

Changed in horizon:
status: New → Incomplete
Revision history for this message
Dafna Ron (dron-3) wrote :

I am actually not sure how it came to happen that I got the permissions error however, I have two theories:
1. sending the command to many instances (so perhaps some of the commands are sent twice or some of the commands are timing out)
2. Admin credentials have timed out but the user has not been thrown out of the UI.

Revision history for this message
Gary W. Smith (gary-w-smith) wrote :

I was able to reproduce this by:
1. Launching an instance
2. Login as admin in two different browser windows at the same time
3. In both windows , navigate to Admin > System > Instances, and use the Terminate Instance action on the instance. Both windows will prompt for confirmation.
4. Confirm the deletion in one window, then go to the other window and confirm the deletion.

The second window will give the permission mentioned in the description.

Changed in horizon:
status: Incomplete → New
Gary W. Smith (gary-w-smith)
Changed in horizon:
status: New → Confirmed
Gary W. Smith (gary-w-smith)
Changed in horizon:
importance: Undecided → Low
Yash Bathia (ybathia)
Changed in horizon:
assignee: nobody → Yash Bathia (ybathia)
Yash Bathia (ybathia)
Changed in horizon:
assignee: Yash Bathia (ybathia) → nobody
Revision history for this message
Justin Pomeroy (jpomero) wrote :

Seems like this is basically working as designed. You aren't allowed to delete the instances because the current state does not allow it. They are already being deleted. It would be nice if the message was more clear on the reason though, since it does seem to imply that it's a permission issue when it says "you are not allowed". I suppose it depends on what kind of error nova returns in this case.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.