Hey Cinder team,

 

We're running into a problem where our SystemReader role can't use the all_tenants filter when listing Cinder volumes (e.g., via `openstack volume list --all-projects`). The filter is getting stripped at the API layer here. This is a blocker for auditability and integrating with third-party CMDB systems, as granting full admin access for these tools isn't a secure option. We’ve seen similar functionality handled in other services like Nova (e.g., `os_compute_api:servers:index:get_all_tenants` for SystemReader), as well as in Keystone and Neutron via policy tuning.

Is there a particular reason this pattern hasn’t been implemented yet in Cinder? And would it make sense to consider making this configurable via the `volume:get_all_tenants_filter` policy rule?

Appreciate any insights!

Best regards,

Serhii K.