Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds warning banner for admin users in project dash.
This is a bandaid until the underlying bugs in Nova get fixed. Fixes bug 968696. Change-Id: I735453482023dabc28069a4a8796aa43001f1891
- Loading branch information
1 parent
f6f2a91
commit 41307a3
Showing
5 changed files
with
73 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
{% load i18n %} | ||
|
||
<div id="admin_warning_detail" class="modal hide"> | ||
<div class="modal-header"> | ||
<button type="button" class="close" data-dismiss="modal">×</button> | ||
<h3>{% trans "You currently have the power to damage your OpenStack cloud..." %}</h3> | ||
</div> | ||
<div class="modal-body"> | ||
<p>{% blocktrans %}Due to inconsistencies in the way Nova interacts with Keystone, a user with an admin role has access to all resources in the system (volumes, snapshots, keypairs, etc.), even in the Project dashboard where they should only see a properly-scoped subset of those resources.{% endblocktrans %}</p> | ||
<p>{% blocktrans %}This means that Nova allows an admin user in the Project Dashboard to successfully take actions which otherwise should not be permitted, causing irresolvable conflicts in Nova.{% endblocktrans %}</p> | ||
<p>{% blocktrans %}A list of the known problems are as follows:{% endblocktrans %}</p> | ||
<ul> | ||
<li>{% blocktrans %}Attaching a volume owned by project A to an instance in project B can completely hang Nova.{% endblocktrans %}</li> | ||
<li>{% blocktrans %}Assigning keypairs owned by project A to an instance in project B can result in failed instances, problems in retrieving instance details for non-admin users, and/or security holes should the instance succeed in spawning.{% endblocktrans %}</li> | ||
<li>{% blocktrans %}Attempting to launch an instance in project A from a snapshot or volume snapshot owned by project B can hang Nova.{% endblocktrans %}</li> | ||
<li>{% blocktrans %}Attempting to boot from a volume owned by project A in project B can hang Nova.{% endblocktrans %}</li> | ||
</ul> | ||
<p>{% blocktrans %}This is only a list of the reported inconsistencies. There may be others.{% endblocktrans %}</p> | ||
<p><strong>{% blocktrans %}The recommended practice until this problem is resolved is to keep your admin users and regular users separate. Create an "admin" project that admin users have access to, and do not grant your admin users the admin role on any other projects.{% endblocktrans %}</strong></p> | ||
<p>{% blocktrans %}To follow the status of this bug, take a look at the following items on launchpad:{% endblocktrans %} <a href="https://bugs.launchpad.net/horizon/+bug/967882">BUG: Scoping problems for Nova resources</a>, <a href="https://bugs.launchpad.net/horizon/+bug/968696">BUG: "Admin"-ness not properly scoped</a>, <a href="https://blueprints.launchpad.net/nova/+spec/differentiate-admin">BLUEPRINT: Differentiate system-wide admins</a>.</p> | ||
<p>{% blocktrans %}Thank you for reading this warning and operating your cloud responsibly.{% endblocktrans %}</p> | ||
</div> | ||
<div class="modal-footer"> | ||
<a href="#" class="btn" data-dismiss="modal">{% trans "Close" %}</a> | ||
</div> | ||
</div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters