[nova] Admin user cannot create vm with user's port?

Lingxian Kong anlin.kong at gmail.com
Thu Jun 13 22:57:10 UTC 2019


Another use case is coming from the services (e.g. Trove) which will create
vms in the service tenant but using the resources (e.g. network or port)
given by the non-admin user.

Best regards,
Lingxian Kong
Catalyst Cloud


On Fri, Jun 14, 2019 at 10:55 AM Lingxian Kong <anlin.kong at gmail.com> wrote:

> On Thu, Jun 13, 2019 at 10:48 PM Sean Mooney <smooney at redhat.com> wrote:
>
>> On Thu, 2019-06-13 at 21:22 +1200, Lingxian Kong wrote:
>> > Yeah, the api allows to specify port. What i mean is, the vm creation
>> will
>> > fail for admin user if port belongs to a non-admin user. An exception is
>> > raised from nova-compute.
>>
>> i believe this is intentional.
>>
>> we do not currently allow you to trasfer ownerwhip of a vm form one user
>> or proejct to another.
>> but i also believe we currently do not allow a vm to be create from
>> resouces with different owners
>>
>
> That's not true. As the admin user, you are allowed to create a vm using
> non-admin's network, security group, image, volume, etc but just not port.
>
> There is use case for admin user to create vms but using non-admin's
> resources for debugging or other purposes.
>
> What's more, the exception is raised in nova-compute not nova-api, which i
> assume it should be supported if it's allowed in the api layer.
>
> Best regards,
> Lingxian Kong
> Catalyst Cloud
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190614/83458bec/attachment-0001.html>


More information about the openstack-discuss mailing list