<div dir="ltr">Solly,<div><br></div><div>My point is that this feature (creating a VM for a tenant as an admin in another project) might not be possible given the current implementation. I've pointed out two places in nova code, from which I drew my conclusion.</div>
<div><br></div><div>Since this potentially requires a code change, I think the dev mailing list is somewhat appropriate... </div><div><br></div><div>Thanks.</div><div>-Simon</div><div><br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Mon, Apr 7, 2014 at 1:44 PM, Solly Ross <span dir="ltr"><<a href="mailto:sross@redhat.com" target="_blank">sross@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Simon, please use the operators list or general list for questions such as this in the future.<br>
<a href="https://wiki.openstack.org/wiki/Mailing_Lists#General_List" target="_blank">https://wiki.openstack.org/wiki/Mailing_Lists#General_List</a><br>
<br>
Best Regards,<br>
Solly Ross<br>
<div><div class="h5"><br>
----- Original Message -----<br>
From: "Xu (Simon) Chen" <<a href="mailto:xchenum@gmail.com">xchenum@gmail.com</a>><br>
To: <a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>
Sent: Saturday, April 5, 2014 12:17:05 AM<br>
Subject: [openstack-dev] [openstack] [nova] admin user create instance for another user/tenant<br>
<br>
I wonder if there is a way to do the following. I have a user A with admin role in tenant A, and I want to create a VM in/for tenant B as user A. Obviously, I can use A's admin privilege to add itself to tenant B, but I want to avoid that.<br>
<br>
Based on the policy.json file, it seems doable:<br>
<a href="https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L8" target="_blank">https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L8</a><br>
<br>
I read this as, as long as a user is an admin, it can create an instance.. Just like an admin user can remove an instance from another tenant.<br>
<br>
But in here, it looks like as long as the context project ID and target project ID don't match, an action would be rejected:<br>
<a href="https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L968" target="_blank">https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L968</a><br>
<br>
Indeed, when I try to use user A's token to create a VM (POST to v2/<tenant_b>/servers), I got the exception from the above link.<br>
<br>
On the other hand, according to here, VM's project_id only comes from the context:<br>
<a href="https://github.com/openstack/nova/blob/master/nova/compute/api.py#L767" target="_blank">https://github.com/openstack/nova/blob/master/nova/compute/api.py#L767</a><br>
<br>
I wonder if it makes sense to allow admin users to specify a "project_id" field (which overrides context.project_id) when creating a VM. This probably requires non-trivial code change.<br>
<br>
Or maybe there is another way of doing what I want?<br>
<br>
Thanks.<br>
-Simon<br>
<br>
<br>
</div></div>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br></div>