openstack project cleanup could delete stacks outside the targeted project
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-openstackclient |
New
|
Undecided
|
Alexey Stupnikov | ||
Bug Description
The command "project cleanup" could delete stacks outside the targeted project
openstack project cleanup --project <project_id>
if the user executing this command has the role "admin" in <project_id> this command *could* DELETE heat stacks outside the targeted project.
Openstack: Train and Wallaby (EOL)
Example :
$ openstack --version
openstack 6.6.0
# admin operator's ENV var.
OS_REGION_
OS_INTERFACE=public
OS_AUTH_URL=https:/
OS_PROJECT_
OS_TENANT_
OS_USERNAME=admin
OS_USER_
OS_PROJECT_
OS_PASSWORD=xxx
OS_IDENTITY_
# Target project ID: 7faf1ccceeeb42e
# 1 network : net_deleteme
# 1 subnet : sub_deleteme
# 1 instance : vm_deleteme
# 1 volume : <no_name>
# no router
# no heat stack
$ openstack stack list -f value -c ID -c Project
1aa3b658-
d879d894-
ddb2c804-
bb9acd57-
a0caad5e-
96241fd6-
cb739a08-
- Case 1: admin is not a member of target (OK: rejected)
$ openstack role assignment list --user admin --names -f value -c Role -c Project --project 7faf1ccceeeb42e
<empty output>
$ openstack project cleanup --project 7faf1ccceeeb42e
The request you have made requires authentication. (HTTP 401) (...)
- Case 2: admin is a member of target (OK: as expected)
$ openstack role assignment list --user admin --names -f value -c Role -c Project --project 7faf1ccceeeb42e
_member_ XXXXX-TEST-
$ openstack project cleanup --project 7faf1ccceeeb42e
+------
| Type | ID | Name |
+------
| Server | ba6c1d73-
| Volume | f5d7a142-
| Subnet | 1e9c54b4-
| Network | ba2bb7e2-
+------
- Case 3: admin has the role "admin" on the target (KO: will clean resources outside target)
$ openstack role assignment list --user admin --names -f value -c Role -c Project --project 7faf1ccceeeb42e
admin XXXXX-TEST-
$ openstack project cleanup --project 7faf1ccceeeb42e
+------
| Type | ID | Name |
+------
| Stack | 1aa3b658-
| Stack | d879d894-
| Stack | bb9acd57-
| Stack | ddb2c804-
| Stack | a0caad5e-
| Stack | 96241fd6-
| Stack | cb739a08-
| Server | ba6c1d73-
| Volume | f5d7a142-
| Subnet | 1e9c54b4-
| Network | ba2bb7e2-
+------
ALERT: the stacks listed here ("<==") don't belong to the target but they will be deleted by project cleanup
This behaviour affects only heat stacks.
With admin role in target, one can list all available resources in neutron and cinder (like "openstack network list" or "openstack volume list") -- this is the expected result -- but those resources are filtered correctly by cleanup and they won't be deleted.
Note : no specific policy has been defined for heat-api
the default policy still contains "system/SYSTEM"
"""
# heat/policies/
policy.
{
}
],
),
"""
| Erwan MALIK (erwan-m) wrote | #1 |
| Changed in python-openstackclient: | |
| assignee: | nobody → Alexey Stupnikov (astupnikov) |
| Andrej Moravcik (andrejmoravcik) wrote | #2 |
[updated to use tag 4.4.0]
I have a workaround but I don't know if it's the correct way to handle this issue.
1. some query parameters are missing in stack.py
- expected parameters:
https:/
- known parameters:
https:/
I added "tenant"
2. the loop over self.stack() is unprotected in orchestration.
https:/
I fixed this following the same strategy used for the networks here
https:/
https:/
so I rewrote
for obj in self.stacks():
into
project_id = self.get_
for obj in self.stacks(
Do you think it could be a way to fix this behavior?