[Openstack-operators] Allow user to see instances of other users
Clint Byrum
clint at fewbar.com
Thu Jun 11 20:02:16 UTC 2015
Excerpts from Sławek Kapłoński's message of 2015-06-11 12:40:36 -0700:
> Hello,
>
> I don't think it is possible because in nova/db/sqlalchemy/api.py in function
> instance_get_all_by_filters You have something like:
>
> if not context.is_admin:
> # If we're not admin context, add appropriate filter..
> if context.project_id:
> filters['project_id'] = context.project_id
> else:
> filters['user_id'] = context.user_id
>
> This is from Juno, but in Kilo it is the same. So in fact even if You will set
> proper policy.json rules it will still require admin context to search
> instances from different tenants. Maybe I'm wrong and this is in some other
> place possible and maybe someone will show me where because I was also looking
> for it last time :)
>
Looks like a bug to me. The check should just enforce that there is one
of those filters if not context.is_admin.
https://launchpad.net/nova/+filebug
I'd suggest referencing this mailing list thread.
More information about the OpenStack-operators
mailing list