[Openstack-operators] Allow user to see instances of other users
Sławek Kapłoński
slawek at kaplonski.pl
Thu Jun 11 22:13:34 UTC 2015
Hello,
But AFAIK this will add someone with role "special_role" same priviliges as
someone who has got "admin" role, right?
--
Pozdrawiam / Best regards
Sławek Kapłoński
slawek at kaplonski.pl
Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze:
> You can add your new role to this policy:
>
> "context_is_admin": "role:admin or role:special_role",
>
> It will set "is_admin" to True in the context. I'm not sure of the
> side-effect to be honest. Use at your own risk...
>
> Mathieu
>
> On 2015-06-11 4:59 PM, George Shuklin wrote:
> > Thank you!
> >
> > You saved me a day of the work. Well, we'll move a script to admin user
> > instead of normal user with the special role.
> >
> > PS And thanks for filling a bugreport too.
> >
> > On 06/11/2015 10:40 PM, Sławek Kapłoński wrote:
> >> Hello,
> >>
> >> I don't think it is possible because in nova/db/sqlalchemy/api.py in
> >> function instance_get_all_by_filters You have something like:
> >>
> >> if not context.is_admin:
> >> # If we're not admin context, add appropriate filter..
> >>
> >> if context.project_id:
> >> filters['project_id'] = context.project_id
> >>
> >> else:
> >> filters['user_id'] = context.user_id
> >>
> >> This is from Juno, but in Kilo it is the same. So in fact even if You
> >> will set proper policy.json rules it will still require admin context to
> >> search instances from different tenants. Maybe I'm wrong and this is in
> >> some other place possible and maybe someone will show me where because I
> >> was also looking for it last time :)
> >>
> >> --
> >> Pozdrawiam / Best regards
> >> Sławek Kapłoński
> >> slawek at kaplonski.pl
> >>
> >> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
> >>> Hello.
> >>>
> >>> I'm trying to allow a user with special role to see all instances of all
> >>> tenants without giving him admin privileges.
> >>>
> >>> My initial attempt was to change policy.json for nova to
> >>> "compute:get_all_tenants": "role:special_role or is_admin:True".
> >>>
> >>> But it didn't work well.
> >>>
> >>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR
> >>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
> >>> performed.'), but the returned list is empty:
> >>>
> >>> nova list --all-tenants
> >>> +----+------+--------+------------+-------------+----------+
> >>>
> >>> | ID | Name | Status | Task State | Power State | Networks |
> >>>
> >>> +----+------+--------+------------+-------------+----------+
> >>> +----+------+--------+------------+-------------+----------+
> >>>
> >>>
> >>> Any ideas how to allow a user without admin privileges to see all
> >>> instances?
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
More information about the OpenStack-operators
mailing list