Hi Ghanshyam, Thanks for your input. I’ve created a custom role (admin_instance_read) to allow listing instances across all projects without using the admin role. Listing works fine using policies like: Option 1: "os_compute_api:servers:index:get_all_tenants": "role:admin_instance_read" "os_compute_api:servers:detail:get_all_tenants": "role:admin_instance_read" Option 2: "admin_or_admin_instance_read": "role:admin or role:admin_instance_read" "os_compute_api:servers:index:get_all_tenants": "rule:admin_or_admin_instance_read" "os_compute_api:servers:detail:get_all_tenants": "rule:admin_or_admin_instance_read" Option 3: "os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin or role:admin_instance_read" "os_compute_api:servers:detail:get_all_tenants": "rule:context_is_admin or role:admin_instance_read" In all three cases: Listing instances (GET /servers?all_tenants=1) works fine. Getting instance details or performing actions fails with 404 unless the user has the admin role. { "itemNotFound": { "code": 404, "message": "Instance <uuid> could not be found." } } Is there an additional policy or workaround needed to allow full cross-project access for custom roles? Thanks & regards, Thamanna Farhath ---- On Sat, 14 Jun 2025 00:20:34 +0530 Ghanshyam Maan <gmaan@ghanshyammann.com> wrote --- ---- On Thu, 12 Jun 2025 22:04:29 -0700 Thamanna Farhath < mailto:thamanna.f@zybisys.com > wrote ---
Hi Team,
As part of enhancing our OpenStack RBAC policy management, we are in the process of setting up custom roles for various admin-related activities.
Custom Roles Used: admin_instance_read,admin_volume_read,admin_network_read,admin_glance_read Policy Customizations:
# Compute - List all instances across tenants"os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin or role:admin_instance_read""os_compute_api:servers:detail:get_all_tenants": "rule:context_is_admin or role:admin_instance_read"# Network - Get networks (shared/external/own project)"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:admin_network_read"# Volume - List all volumes and snapshots across projects"volume:get_all": "rule:xena_system_admin_or_project_reader or role:admin_volume_read""volume:get_all_snapshots": "rule:xena_system_admin_or_project_reader or role:admin_volume_read"# Image - List all images including shared/community/public"get_image": "role:admin or (role:reader and project_id:%(project_id)s) or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s or role:admin_glance_read""get_images": "role:admin or (role:reader and project_id:%(project_id)s) or role:admin_glance_read" Issue:
Despite the above configurations, listing all instances, images, volumes, and networks across all projects still only works for the admin role. The custom roles (e.g., admin_instance_read, etc.) are not taking effect for cross-project visibility as expected.
What error or instances list do you get for 'admin_instance_read' ? If policy is allowed as per customer override, then compute allowsthe user to list cross-project instances but I will suggest to remove the admin access from policy and try how it behaves: # Compute - List all instances across tenants "os_compute_api:servers:index:get_all_tenants": "role:admin_instance_read" "os_compute_api:servers:detail:get_all_tenants": "role:admin_instance_read"
Request:
I would appreciate any suggestions or insights on:
Whether additional policy bindings or role scopes are required.
If any service-specific constraints might be overriding the custom roles.
Any known limitations regarding get_all_tenants behavior with custom roles.
Can you list the command/API you are trying to list all instance? In compute, along with project-id filter you need to pass '--all-tenants' filter also, otherwise nova will always return requested user instances only. -gmaan
Thanks & Regards Thamanna Farhath N Associate engineer - R&D Zybisys IT consulting
Disclaimer : The content of this email and anyfiles transmitted with it are confidential and intended solely for the use ofthe individual or entity to which they are addressed. If you have received thisemail in error, please notify the sender and remove the messages from yoursystem. If you are not the named addressee, it is strictly forbidden for you toshare, circulate, distribute or copy any part of this e-mail to any third partywithout the written consent of the sender.
E-mail transmission cannot be guaranteed to besecured or error free as information could be intercepted, corrupted, lost,destroyed, arrive late, incomplete, or may contain viruses. Therefore, we donot accept liability for any errors or omissions in the contents of thismessage, which arise as a result of e-mail transmission. The recipient shouldcheck this e-mail and any attachments for the presence of viruses. The companyaccepts no liability for any damage caused by any virus transmitted by thisemail."
Disclaimer : The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender. E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."