On 24/06/2025 14:08, Sławek Kapłoński wrote:
Hi,
Dnia wtorek, 24 czerwca 2025 14:48:55 czas środkowoeuropejski letni Thamanna Farhath pisze:
Hi,
Thanks for the responses so far.
Nova:
Using GET /servers/detail?all_tenants=1&id=<uuid> works with our custom admin_instance_read role — appreciate the suggestion.
However, other instance-level actions (pause, resume, delete, etc.) still fail with 404 unless the admin role is used, even when the instance is visible. Is there any way to relax these checks for trusted custom roles?
We understand from earlier messages that this behavior is due to hardcoded DB-layer restrictions or missing full RBAC scope evaluations.
Neutron:
With the admin_network_read role assigned to a system-level user, we are still unable to list or access all networks across projects (including shared/external). as far as i am aware networks are considered project scooped reosorces so then shoudl never be visable to a system scoped token even with custom policy.
As mentioned by @, it appears that database-level filters in Neutron are still restricting visibility. We've looked at the suggested line here:
https://github.com/openstack/neutron-lib/blob/fd011c9/neutron_lib/db/model_q...
Is there a workaround or patch available to bypass this, or should we wait for a fix as per Bug #2115184? Nope, there is no workaround nor patch proposed yet. i would argue that it probaly should not be considerd a bug assuming when they say "system-level user" they actully mean a user with a system scoped token.
We’re trying to delegate operational tasks without assigning full admin rights, so fine-grained RBAC is essential.
Thanks,
Thamanna Farhath
---- On Mon, 23 Jun 2025 14:26:55 +0530 Sławek Kapłoński <skaplons@redhat.com> wrote ---
Hi,
Dnia piątek, 13 czerwca 2025 09:31:50 czas środkowoeuropejski letni Sławek Kapłoński pisze:
Hi,
From a quick look at Neutron and "get_network" policy it seems for me that this is not really filtered out on the API policy level but when data is fetched from the database, exactly in https://github.com/openstack/neutron-lib/blob/fd011c955dfae1072555c69b6ba742... I think that you should open LP bug for Neutron for this. I will try to look deeper into it when I will have some time.
I've just opened bug regarding this for Neutron: https://bugs.launchpad.net/neutron/+bug/2115184 and I will try to take a look at it in next days.
Dnia piątek, 13 czerwca 2025 07:04:29 czas środkowoeuropejski letni Thamanna Farhath pisze:
Hi Team,
As part of enhancing our OpenStack RBAC policy management, we are in the process of setting up custom roles for various admin-related activities.
Custom Roles Used: admin_instance_read,admin_volume_read,admin_network_read,admin_glance_read
Policy Customizations:
# Compute - List all instances across tenants "os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin or role:admin_instance_read" "os_compute_api:servers:detail:get_all_tenants": "rule:context_is_admin or role:admin_instance_read"
# Network - Get networks (shared/external/own project) "get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:admin_network_read"
# Volume - List all volumes and snapshots across projects "volume:get_all": "rule:xena_system_admin_or_project_reader or role:admin_volume_read" "volume:get_all_snapshots": "rule:xena_system_admin_or_project_reader or role:admin_volume_read"
# Image - List all images including shared/community/public "get_image": "role:admin or (role:reader and project_id:%(project_id)s) or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s or role:admin_glance_read" "get_images": "role:admin or (role:reader and project_id:%(project_id)s) or role:admin_glance_read"
Issue:
Despite the above configurations, listing all instances, images, volumes, and networks across all projects still only works for the admin role. The custom roles (e.g., admin_instance_read, etc.) are not taking effect for cross-project visibility as expected.
Request:
I would appreciate any suggestions or insights on:
Whether additional policy bindings or role scopes are required.
If any service-specific constraints might be overriding the custom roles.
Any known limitations regarding get_all_tenants behavior with custom roles.
Thanks & Regards
Thamanna Farhath N
Associate engineer - R&D
Zybisys IT consulting Disclaimer : The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.
E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."
-- Slawek Kaplonski Principal Software Engineer Red Hat
-- Slawek Kaplonski Principal Software Engineer Red Hat Disclaimer : The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.
E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."