19 Jun
2025
19 Jun
'25
2:34 a.m.
hi all!
ср, 18 черв. 2025 р. о 21:32 Ghanshyam Maan <gmaan@ghanshyammann.com> пише:
> ---- On Tue, 17 Jun 2025 00:59:22 -0700 Thamanna Farhath <
> thamanna.f@zybisys.com> wrote ---
> > Hi Ghanshyam,
> >
> > Thanks for your input.
> >
> > I’ve created a custom role (admin_instance_read) to allow listing
> instances across all projects without using the admin role. Listing works
> fine using policies like:
> >
> > Option 1:
> > "os_compute_api:servers:index:get_all_tenants":
> "role:admin_instance_read"
> > "os_compute_api:servers:detail:get_all_tenants":
> "role:admin_instance_read"
> > Option 2:
> > "admin_or_admin_instance_read": "role:admin or
> role:admin_instance_read""os_compute_api:servers:index:get_all_tenants":
> "rule:admin_or_admin_instance_read""os_compute_api:servers:detail:get_all_tenants":
> "rule:admin_or_admin_instance_read"
> > Option 3:
> > "os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin
> or
> role:admin_instance_read""os_compute_api:servers:detail:get_all_tenants":
> "rule:context_is_admin or role:admin_instance_read"
> > In all three cases:
> >
> > Listing instances (GET /servers?all_tenants=1) works fine.
> >
> >
> > Getting instance details or performing actions fails with 404 unless
> the user has the admin role.
> >
> >
> > { "itemNotFound": { "code": 404, "message": "Instance <uuid>
> could not be found." }}
> > Is there an additional policy or workaround needed to allow full
> cross-project access for custom roles?
>
> That is exxpected behavior. Nova allow non-admin (if policy overriden)
> only to list/list-detail instances across projects. Any other
> operation on instances are restricted to owner (user within same project)
> or admin only.
>
> I completely understand and agree with enforcing strict validation to
ensure only admins can modify workloads across projects. However, I'm
curious about the reasoning behind restricting read operations -
specifically the GET /servers/{id} API.
What are the concerns that prevent using the same policy (i.e.,
`os_compute_api:servers:index:get_all_tenants`) for server detail
retrieval? Functionally, it seems similar to listing servers with a UUID
filter.
We’re working on integrating OpenStack with third-party systems (audit for
example). While servers list API seems enough, debugging for a particular
server status looks far from ideal :)
>
> -gmaan
>
> >
> > Thanks & regards,
> >
> > Thamanna Farhath
> >
> >
> > ---- On Sat, 14 Jun 2025 00:20:34 +0530 Ghanshyam Maan <
> gmaan@ghanshyammann.com> wrote ---
> >
> >
> >
> >
> >
> > Disclaimer : The content of this email and anyfiles transmitted with
> it are confidential and intended solely for the use ofthe individual or
> entity to which they are addressed. If you have received thisemail in
> error, please notify the sender and remove the messages from yoursystem. If
> you are not the named addressee, it is strictly forbidden for you toshare,
> circulate, distribute or copy any part of this e-mail to any third
> partywithout the written consent of the sender.
> >
> >
> > E-mail transmission cannot be guaranteed to besecured or error free as
> information could be intercepted, corrupted, lost,destroyed, arrive late,
> incomplete, or may contain viruses. Therefore, we donot accept liability
> for any errors or omissions in the contents of thismessage, which arise as
> a result of e-mail transmission. The recipient shouldcheck this e-mail and
> any attachments for the presence of viruses. The companyaccepts no
> liability for any damage caused by any virus transmitted by thisemail."
> >
> >
> > ---- On Thu, 12 Jun 2025 22:04:29 -0700 Thamanna Farhath <
> thamanna.f@zybisys.com> wrote ---
> > > Hi Team,
> > >
> > > As part of enhancing our OpenStack RBAC policy management, we are in
> the process of setting up custom roles for various admin-related
> activities.
> > >
> > > Custom Roles Used:
> admin_instance_read,admin_volume_read,admin_network_read,admin_glance_read
> > > Policy Customizations:
> > >
> > > # Compute - List all instances across
> tenants"os_compute_api:servers:index:get_all_tenants":
> "rule:context_is_admin or
> role:admin_instance_read""os_compute_api:servers:detail:get_all_tenants":
> "rule:context_is_admin or role:admin_instance_read"# Network - Get networks
> (shared/external/own project)"get_network": "(rule:admin_only) or
> (role:reader and project_id:%(project_id)s) or rule:shared or rule:external
> or rule:context_is_advsvc or role:admin_network_read"# Volume - List all
> volumes and snapshots across projects"volume:get_all":
> "rule:xena_system_admin_or_project_reader or
> role:admin_volume_read""volume:get_all_snapshots":
> "rule:xena_system_admin_or_project_reader or role:admin_volume_read"# Image
> - List all images including shared/community/public"get_image": "role:admin
> or (role:reader and project_id:%(project_id)s) or project_id:%(member_id)s
> or 'community':%(visibility)s or 'public':%(visibility)s or
> 'shared':%(visibility)s or role:admin_glance_read""get_images": "role:admin
> or (role:reader and project_id:%(project_id)s) or role:admin_glance_read"
> > > Issue:
> > >
> > > Despite the above configurations, listing all instances, images,
> volumes, and networks across all projects still only works for the admin
> role. The custom roles (e.g., admin_instance_read, etc.) are not taking
> effect for cross-project visibility as expected.
> > >
> >
> > What error or instances list do you get for 'admin_instance_read' ?
> >
> > If policy is allowed as per customer override, then compute allowsthe
> user to list cross-project instances but I will
> > suggest to remove the admin access from policy and try how it behaves:
> >
> > # Compute - List all instances across tenants
> > "os_compute_api:servers:index:get_all_tenants":
> "role:admin_instance_read"
> > "os_compute_api:servers:detail:get_all_tenants":
> "role:admin_instance_read"
> >
> > > Request:
> > >
> > > I would appreciate any suggestions or insights on:
> > >
> > > Whether additional policy bindings or role scopes are required.
> > >
> > >
> > > If any service-specific constraints might be overriding the custom
> roles.
> > >
> > >
> > > Any known limitations regarding get_all_tenants behavior with custom
> roles.
> >
> > Can you list the command/API you are trying to list all instance?
> >
> > In compute, along with project-id filter you need to pass
> '--all-tenants' filter also, otherwise nova will always
> > return requested user instances only.
> >
> > -gmaan
> >
> > >
> > >
> > >
> > >
> > > Thanks & Regards
> > > Thamanna Farhath N
> > > Associate engineer - R&D
> > > Zybisys IT consulting
> > >
> > >
> > >
> > > Disclaimer : The content of this email and anyfiles transmitted
> with it are confidential and intended solely for the use ofthe individual
> or entity to which they are addressed. If you have received thisemail in
> error, please notify the sender and remove the messages from yoursystem. If
> you are not the named addressee, it is strictly forbidden for you toshare,
> circulate, distribute or copy any part of this e-mail to any third
> partywithout the written consent of the sender.
> > >
> > >
> > > E-mail transmission cannot be guaranteed to besecured or error free
> as information could be intercepted, corrupted, lost,destroyed, arrive
> late, incomplete, or may contain viruses. Therefore, we donot accept
> liability for any errors or omissions in the contents of thismessage, which
> arise as a result of e-mail transmission. The recipient shouldcheck this
> e-mail and any attachments for the presence of viruses. The companyaccepts
> no liability for any damage caused by any virus transmitted by thisemail."
> > >
> > >
> > >
> >
> >
>
>
--
Best regards,
Andriy Kurilin.