---- On Thu, 06 Sep 2018 23:53:10 +0900 Ignazio Cassano <ignaziocassano at gmail.com> wrote ---- > Thanks but I made a mistake because I forgot to change user variables before deleting the instance.User belonging to user role cannot delete instances of other projects.Sorry for my mistakeRegardsIgnazio On Policy side, Nova has policy in code now. And for showing the all projects servers, nova has policy rule [1] for that which control the --all-projects parameter. By Default it is 'admin' only so demo user cannot see the other instance until this rule is modified in your policy.json [1] os_compute_api:servers:index:get_all_tenants os_compute_api:servers:detail:get_all_tenants https://docs.openstack.org/nova/latest/configuration/policy.html -gmann > > Il giorno gio 6 set 2018 alle ore 16:41 iain MacDonnell <iain.macdonnell at oracle.com> ha scritto: > > > On 09/06/2018 06:31 AM, Ignazio Cassano wrote: > > I installed openstack ocata on centos and I saw /etc/nova/policy.json > > coontains the following: > > { > > } > > > > I created an instance in a a project "admin" with user admin that > > belogns to admin project > > > > I created a demo project with a user demo with "user" role. > > > > Using command lines (openstack server list --all-projects) the user demo > > can list the admin instances and can also delete one of them. > > > > I think this is a bug and a nova policy.json must be created with some > > rules for avoiding the above. > > See > https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html > > You have something else going on ... > > ~iain > > > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >