19 Jun
2025
19 Jun
'25
1:34 p.m.
hi all! ср, 18 черв. 2025 р. о 21:32 Ghanshyam Maan <gmaan@ghanshyammann.com> пише: > ---- On Tue, 17 Jun 2025 00:59:22 -0700 Thamanna Farhath < > thamanna.f@zybisys.com> wrote --- > > Hi Ghanshyam, > > > > Thanks for your input. > > > > I’ve created a custom role (admin_instance_read) to allow listing > instances across all projects without using the admin role. Listing works > fine using policies like: > > > > Option 1: > > "os_compute_api:servers:index:get_all_tenants": > "role:admin_instance_read" > > "os_compute_api:servers:detail:get_all_tenants": > "role:admin_instance_read" > > Option 2: > > "admin_or_admin_instance_read": "role:admin or > role:admin_instance_read""os_compute_api:servers:index:get_all_tenants": > "rule:admin_or_admin_instance_read""os_compute_api:servers:detail:get_all_tenants": > "rule:admin_or_admin_instance_read" > > Option 3: > > "os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin > or > role:admin_instance_read""os_compute_api:servers:detail:get_all_tenants": > "rule:context_is_admin or role:admin_instance_read" > > In all three cases: > > > > Listing instances (GET /servers?all_tenants=1) works fine. > > > > > > Getting instance details or performing actions fails with 404 unless > the user has the admin role. > > > > > > { "itemNotFound": { "code": 404, "message": "Instance <uuid> > could not be found." }} > > Is there an additional policy or workaround needed to allow full > cross-project access for custom roles? > > That is exxpected behavior. Nova allow non-admin (if policy overriden) > only to list/list-detail instances across projects. Any other > operation on instances are restricted to owner (user within same project) > or admin only. > > I completely understand and agree with enforcing strict validation to ensure only admins can modify workloads across projects. However, I'm curious about the reasoning behind restricting read operations - specifically the GET /servers/{id} API. What are the concerns that prevent using the same policy (i.e., `os_compute_api:servers:index:get_all_tenants`) for server detail retrieval? Functionally, it seems similar to listing servers with a UUID filter. We’re working on integrating OpenStack with third-party systems (audit for example). While servers list API seems enough, debugging for a particular server status looks far from ideal :) > > -gmaan > > > > > Thanks & regards, > > > > Thamanna Farhath > > > > > > ---- On Sat, 14 Jun 2025 00:20:34 +0530 Ghanshyam Maan < > gmaan@ghanshyammann.com> wrote --- > > > > > > > > > > > > Disclaimer : The content of this email and anyfiles transmitted with > it are confidential and intended solely for the use ofthe individual or > entity to which they are addressed. If you have received thisemail in > error, please notify the sender and remove the messages from yoursystem. If > you are not the named addressee, it is strictly forbidden for you toshare, > circulate, distribute or copy any part of this e-mail to any third > partywithout the written consent of the sender. > > > > > > E-mail transmission cannot be guaranteed to besecured or error free as > information could be intercepted, corrupted, lost,destroyed, arrive late, > incomplete, or may contain viruses. Therefore, we donot accept liability > for any errors or omissions in the contents of thismessage, which arise as > a result of e-mail transmission. The recipient shouldcheck this e-mail and > any attachments for the presence of viruses. The companyaccepts no > liability for any damage caused by any virus transmitted by thisemail." > > > > > > ---- On Thu, 12 Jun 2025 22:04:29 -0700 Thamanna Farhath < > thamanna.f@zybisys.com> wrote --- > > > Hi Team, > > > > > > As part of enhancing our OpenStack RBAC policy management, we are in > the process of setting up custom roles for various admin-related > activities. > > > > > > Custom Roles Used: > admin_instance_read,admin_volume_read,admin_network_read,admin_glance_read > > > Policy Customizations: > > > > > > # Compute - List all instances across > tenants"os_compute_api:servers:index:get_all_tenants": > "rule:context_is_admin or > role:admin_instance_read""os_compute_api:servers:detail:get_all_tenants": > "rule:context_is_admin or role:admin_instance_read"# Network - Get networks > (shared/external/own project)"get_network": "(rule:admin_only) or > (role:reader and project_id:%(project_id)s) or rule:shared or rule:external > or rule:context_is_advsvc or role:admin_network_read"# Volume - List all > volumes and snapshots across projects"volume:get_all": > "rule:xena_system_admin_or_project_reader or > role:admin_volume_read""volume:get_all_snapshots": > "rule:xena_system_admin_or_project_reader or role:admin_volume_read"# Image > - List all images including shared/community/public"get_image": "role:admin > or (role:reader and project_id:%(project_id)s) or project_id:%(member_id)s > or 'community':%(visibility)s or 'public':%(visibility)s or > 'shared':%(visibility)s or role:admin_glance_read""get_images": "role:admin > or (role:reader and project_id:%(project_id)s) or role:admin_glance_read" > > > Issue: > > > > > > Despite the above configurations, listing all instances, images, > volumes, and networks across all projects still only works for the admin > role. The custom roles (e.g., admin_instance_read, etc.) are not taking > effect for cross-project visibility as expected. > > > > > > > What error or instances list do you get for 'admin_instance_read' ? > > > > If policy is allowed as per customer override, then compute allowsthe > user to list cross-project instances but I will > > suggest to remove the admin access from policy and try how it behaves: > > > > # Compute - List all instances across tenants > > "os_compute_api:servers:index:get_all_tenants": > "role:admin_instance_read" > > "os_compute_api:servers:detail:get_all_tenants": > "role:admin_instance_read" > > > > > Request: > > > > > > I would appreciate any suggestions or insights on: > > > > > > Whether additional policy bindings or role scopes are required. > > > > > > > > > If any service-specific constraints might be overriding the custom > roles. > > > > > > > > > Any known limitations regarding get_all_tenants behavior with custom > roles. > > > > Can you list the command/API you are trying to list all instance? > > > > In compute, along with project-id filter you need to pass > '--all-tenants' filter also, otherwise nova will always > > return requested user instances only. > > > > -gmaan > > > > > > > > > > > > > > > > > Thanks & Regards > > > Thamanna Farhath N > > > Associate engineer - R&D > > > Zybisys IT consulting > > > > > > > > > > > > Disclaimer : The content of this email and anyfiles transmitted > with it are confidential and intended solely for the use ofthe individual > or entity to which they are addressed. If you have received thisemail in > error, please notify the sender and remove the messages from yoursystem. If > you are not the named addressee, it is strictly forbidden for you toshare, > circulate, distribute or copy any part of this e-mail to any third > partywithout the written consent of the sender. > > > > > > > > > E-mail transmission cannot be guaranteed to besecured or error free > as information could be intercepted, corrupted, lost,destroyed, arrive > late, incomplete, or may contain viruses. Therefore, we donot accept > liability for any errors or omissions in the contents of thismessage, which > arise as a result of e-mail transmission. The recipient shouldcheck this > e-mail and any attachments for the presence of viruses. The companyaccepts > no liability for any damage caused by any virus transmitted by thisemail." > > > > > > > > > > > > > > > -- Best regards, Andriy Kurilin.