[openstack-dev] [Horizon] [Cinder] [Keystone] Showing Cinder quotas for non-admin users in Horizon

Timur Sufiev tsufiev at mirantis.com
Tue Sep 22 20:13:50 UTC 2015 

If I understand correctly, the issue has been properly fixed with the
Ivan's patch [1]. Thanks, Ivan!

[1] https://review.openstack.org/#/c/225891/

On Wed, Sep 16, 2015 at 2:53 PM Ivan Kolodyazhny <e0ne at e0ne.info> wrote:

> Hi Timur,
>
> To get quotas  we need to retrieve project information from the
> Keystone. Unfortunately, Keystone set "admin_required" rule by default [1]
> in their API. We can handle it and raise 403 if Keystone return this error
> only.
>
> [1] https://github.com/openstack/keystone/blob/master/etc/policy.json#L37
>
> Regards,
> Ivan Kolodyazhny
>
> On Mon, Sep 14, 2015 at 1:49 PM, Timur Sufiev <tsufiev at mirantis.com>
> wrote:
>
>> Hi all!
>>
>> It seems that recent changes in Cinder policies [1] forbade non-admin
>> users to see the disk quotas. Yet the volume creation is allowed for
>> non-admins, which effectively means that from now on a volume creation in
>> Horizon is free for non-admins (as soon as quotas:show rule is propagated
>> into Horizon policies). Along with understanding that this is not a desired
>> UX for Volumes panel in Horizon, I know as well that [1] wasn't responsible
>> for this quota behavior change on its own. It merely tried to alleviate the
>> situation caused by [2], which changed the requirements of quota show being
>> authorized. From this point I'm starting to sense that my knowledge of
>> Cinder and Keystone (because the hierarchical feature is involved) is
>> insufficient to suggest the proper solution from the Horizon point of view.
>> Yet hiding quota values from non-admin users makes no sense to me.
>> Suggestions?
>>
>> [1] https://review.openstack.org/#/c/219231/7/etc/cinder/policy.json line
>> 36
>> [2]
>> https://review.openstack.org/#/c/205369/29/cinder/api/contrib/quotas.py line
>> 135
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150922/52bda3a8/attachment.html>

More information about the OpenStack-dev mailing list