[Openstack-operators] Allow user to see instances of other users

Mathieu Gagné mgagne at iweb.com
Thu Jun 11 22:28:57 UTC 2015


haha, you are right.

Should this also be changed so you don't end up with "admin" privileges
on all tenants?

From:

  "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",

To:

  "admin_or_owner":  "role:admin or project_id:%(project_id)s",

Note: I'm trying to find a temporary way to no have to wait for Nova to
remove all occurrences of "if not context.is_admin".

Mathieu

On 2015-06-11 6:13 PM, Sławek Kapłoński wrote:
> Hello,
> 
> But AFAIK this will add someone with role "special_role" same priviliges as 
> someone who has got "admin" role, right?
> 
> --
> Pozdrawiam / Best regards
> Sławek Kapłoński
> slawek at kaplonski.pl
> 
> Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze:
>> You can add your new role to this policy:
>>
>>   "context_is_admin":  "role:admin or role:special_role",
>>
>> It will set "is_admin" to True in the context. I'm not sure of the
>> side-effect to be honest. Use at your own risk...
>>
>> Mathieu
>>
>> On 2015-06-11 4:59 PM, George Shuklin wrote:
>>> Thank you!
>>>
>>> You saved me a day of the work. Well, we'll move a script to admin user
>>> instead of normal user with the special role.
>>>
>>> PS And thanks for filling a bugreport too.
>>>
>>> On 06/11/2015 10:40 PM, Sławek Kapłoński wrote:
>>>> Hello,
>>>>
>>>> I don't think it is possible because in nova/db/sqlalchemy/api.py in
>>>> function instance_get_all_by_filters You have something like:
>>>>
>>>> if not context.is_admin:
>>>>         # If we're not admin context, add appropriate filter..
>>>>         
>>>>         if context.project_id:
>>>>             filters['project_id'] = context.project_id
>>>>         
>>>>         else:
>>>>             filters['user_id'] = context.user_id
>>>>
>>>> This is from Juno, but in Kilo it is the same. So in fact even if You
>>>> will set proper policy.json rules it will still require admin context to
>>>> search instances from different tenants. Maybe I'm wrong and this is in
>>>> some other place possible and maybe someone will show me where because I
>>>> was also looking for it last time :)
>>>>
>>>> --
>>>> Pozdrawiam / Best regards
>>>> Sławek Kapłoński
>>>> slawek at kaplonski.pl
>>>>
>>>> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
>>>>> Hello.
>>>>>
>>>>> I'm trying to allow a user with special role to see all instances of all
>>>>> tenants without giving him admin privileges.
>>>>>
>>>>> My initial attempt was to change policy.json for nova to
>>>>> "compute:get_all_tenants": "role:special_role or is_admin:True".
>>>>>
>>>>> But it didn't work well.
>>>>>
>>>>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR
>>>>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
>>>>> performed.'), but the returned list is empty:
>>>>>
>>>>> nova list  --all-tenants
>>>>> +----+------+--------+------------+-------------+----------+
>>>>>
>>>>> | ID | Name | Status | Task State | Power State | Networks |
>>>>>
>>>>> +----+------+--------+------------+-------------+----------+
>>>>> +----+------+--------+------------+-------------+----------+
>>>>>
>>>>>
>>>>> Any ideas how to allow a user without admin privileges to see all
>>>>> instances?
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-operators mailing list
>>>>> OpenStack-operators at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-operators mailing list
>>>>> OpenStack-operators at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 




More information about the OpenStack-operators mailing list