[Openstack-operators] Allow user to see instances of other users
Sławek Kapłoński
slawek at kaplonski.pl
Fri Jun 12 20:20:22 UTC 2015
Hello,
I don't know if such solution will work properly. I don't have possibility to
check it now :/
--
Pozdrawiam / Best regards
Sławek Kapłoński
slawek at kaplonski.pl
Dnia czwartek, 11 czerwca 2015 18:28:57 Mathieu Gagné pisze:
> haha, you are right.
>
> Should this also be changed so you don't end up with "admin" privileges
> on all tenants?
>
> From:
>
> "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
>
> To:
>
> "admin_or_owner": "role:admin or project_id:%(project_id)s",
>
> Note: I'm trying to find a temporary way to no have to wait for Nova to
> remove all occurrences of "if not context.is_admin".
>
> Mathieu
>
> On 2015-06-11 6:13 PM, Sławek Kapłoński wrote:
> > Hello,
> >
> > But AFAIK this will add someone with role "special_role" same priviliges
> > as
> > someone who has got "admin" role, right?
> >
> > --
> > Pozdrawiam / Best regards
> > Sławek Kapłoński
> > slawek at kaplonski.pl
> >
> > Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze:
> >> You can add your new role to this policy:
> >> "context_is_admin": "role:admin or role:special_role",
> >>
> >> It will set "is_admin" to True in the context. I'm not sure of the
> >> side-effect to be honest. Use at your own risk...
> >>
> >> Mathieu
> >>
> >> On 2015-06-11 4:59 PM, George Shuklin wrote:
> >>> Thank you!
> >>>
> >>> You saved me a day of the work. Well, we'll move a script to admin user
> >>> instead of normal user with the special role.
> >>>
> >>> PS And thanks for filling a bugreport too.
> >>>
> >>> On 06/11/2015 10:40 PM, Sławek Kapłoński wrote:
> >>>> Hello,
> >>>>
> >>>> I don't think it is possible because in nova/db/sqlalchemy/api.py in
> >>>> function instance_get_all_by_filters You have something like:
> >>>>
> >>>> if not context.is_admin:
> >>>> # If we're not admin context, add appropriate filter..
> >>>>
> >>>> if context.project_id:
> >>>> filters['project_id'] = context.project_id
> >>>>
> >>>> else:
> >>>> filters['user_id'] = context.user_id
> >>>>
> >>>> This is from Juno, but in Kilo it is the same. So in fact even if You
> >>>> will set proper policy.json rules it will still require admin context
> >>>> to
> >>>> search instances from different tenants. Maybe I'm wrong and this is in
> >>>> some other place possible and maybe someone will show me where because
> >>>> I
> >>>> was also looking for it last time :)
> >>>>
> >>>> --
> >>>> Pozdrawiam / Best regards
> >>>> Sławek Kapłoński
> >>>> slawek at kaplonski.pl
> >>>>
> >>>> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
> >>>>> Hello.
> >>>>>
> >>>>> I'm trying to allow a user with special role to see all instances of
> >>>>> all
> >>>>> tenants without giving him admin privileges.
> >>>>>
> >>>>> My initial attempt was to change policy.json for nova to
> >>>>> "compute:get_all_tenants": "role:special_role or is_admin:True".
> >>>>>
> >>>>> But it didn't work well.
> >>>>>
> >>>>> The command (nova list --all-tenants) is not failing anymore (no
> >>>>> 'ERROR
> >>>>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
> >>>>> performed.'), but the returned list is empty:
> >>>>>
> >>>>> nova list --all-tenants
> >>>>> +----+------+--------+------------+-------------+----------+
> >>>>>
> >>>>> | ID | Name | Status | Task State | Power State | Networks |
> >>>>>
> >>>>> +----+------+--------+------------+-------------+----------+
> >>>>> +----+------+--------+------------+-------------+----------+
> >>>>>
> >>>>>
> >>>>> Any ideas how to allow a user without admin privileges to see all
> >>>>> instances?
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OpenStack-operators mailing list
> >>>>> OpenStack-operators at lists.openstack.org
> >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator
> >>>>> s
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OpenStack-operators mailing list
> >>>>> OpenStack-operators at lists.openstack.org
> >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator
> >>>>> s
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
More information about the OpenStack-operators
mailing list