On 09/07/2025 14:36, Masahito Muroi wrote:
Hi sean,
Thanks for the quick reply and sorry for the confusion.
yes, the combination of private flavor and giving access to a project realizes the project can see the flavor and use the flavor to provision an instance. The flavor access permission gives both the flavor visible and the flavor usable now.
What we want to do is giving only the flavor visibility, not giving the flavor usable.
i see, im kind of wondering why you want end yours to be able to see a flavor that they cannot use. the current functionality assume you should only see the flavors you can use. i could see evovlign the api to allow you to decouple the too i.e. have a flavor be public but allow restriting it to specific project but im interested why you see value in that. im not discounting that there might be just im not sure hwo to fram that as usecase/requirement i.e. if we wree to descibe this in a spec what capablity does this provdie to a cloud operator that can be done when the visablity and consumtion are coupled?
The usecase I wrote may confused. We want to manage the permission to a project, not an user.
thanks, Masahito
-----Original Message----- *From:* "Sean Mooney"<smooney@redhat.com> *To:* "Masahito Muroi"<masahito.muroi@lycorp.co.jp>; <openstack-discuss@lists.openstack.org>; *Cc:* *Sent:* 2025/07/07(月) 21:50 (GMT+09:00) *Subject:* Re: [Nova] Flavor visibility management
On 07/07/2025 07:51, Masahito Muroi wrote:
Hi Nova team,
I wonder there is an official Nova way to manage Flavor's visibility. The is_public flag can manage a flavor is visible to all users or not, but it can't block user to use the flavor. you do that by making the flavor private and then using the flavor access api to make that private flavor only accsable to a
specific project. https://urldefense.com/v3/__https://docs.openstack.org/api-ref/compute/*flav...
if you sue the flavor access API to restrict a private flavor to a project only member of that project will be able to create vms with that flavor.
Usecase: - Cloud admin sets up some custom flavor for users, but the custom flavors are not available to all users at beginning. - Cloud user needs to get some approval to use the custom flavor before using the custom flavor. - Cloud system needs to show custom flavor list not approved yet to cloud users.
we do not support mapping flavor access to users only to projects.
in general most api resouces in openstack are not user owned they are projec towned.
for example a nova server is not owned by a user its owned by a project. the only user owned resouce in nova is the users keypair.
so we do not have the concept of restricting a flavor ot a user only to a project.
we do not have a user level equivalent and im not convinced we would add one in the future. vms are not owned by a user even if they are created by a given user they are a project scoped resource and im not sure it would make sense of
one user in a project to be able to create a vm but not another. it would also have lots of subtle edge-cases like resize revert.
i.e. if the user who is doing the revert does not have access to the flavor would it be valid to allow the revert. that would likely
also break things like heat, preventing it form being able to autoscale vms for example. although heat may already be cheating via admin tokens so it may not actually be a problem in that specific case.
in any case change the flavor access API to operate on anything other then the project level would be a non trivial API change.
The problem is user can only see flavors which are already gotten approval. If not, they can't see custom flavor's list using flavor list API. It's kind of chicken and egg problem.
Flavors being visible to cloud user means the cloud user can create an instance using the visible flavor.
best regards, Masahito