some operations are available only to the administrator, regardless of the policies?
Hi everyone, I'm currently writing a custom nova's policy for my new role myrole. The current task is to create a role for a user with member role already assigned to see servers from other project. For example, I got a token for my user in project1, but want to see servers on project2, where my user has a member and myrole roles also. I added to nova's policy.json line: "os_compute_api:servers:show": "rule:project_reader_or_admin or role:myrole" I already assigned to my user roles member and myrole in the project1 and project2. But I always got a 404 error when I want to show servers from project2. I get 404 even when I use "os_compute_api:servers:show": "" i.e. always true. It only works if I use token of admin user or my user has admin role in project2. It looks like some operations are available for admins only?
On 28/05/2025 12:05, sluge@mail.ru wrote:
Hi everyone, I'm currently writing a custom nova's policy for my new role myrole. The current task is to create a role for a user with member role already assigned to see servers from other project. For example, I got a token for my user in project1, but want to see servers on project2, where my user has a member and myrole roles also. I added to nova's policy.json line: "os_compute_api:servers:show": "rule:project_reader_or_admin or role:myrole" I already assigned to my user roles member and myrole in the project1 and project2. But I always got a 404 error when I want to show servers from project2. I get 404 even when I use "os_compute_api:servers:show": "" i.e. always true.
server are a project scoped resouces and unless set the project id when creaqting the token to project2 i would expect a request with project ones project to fial. you may be able to pass --all-projects to allow a token issues for a diffent proejct to funciton but nova is not really designed for this type of cross project query.
It only works if I use token of admin user or my user has admin role in project2. It looks like some operations are available for admins only?
there are some limited places where we still enforce the porject at the db level. custom policy is not really intended to make this type of change work. non admins are quried to use a token that is issues for the project that the reousce is owned by if you have added teh user to both projects with your custom role you shoudl be able ot change the project to project 2 in your cloud.yaml or when usign openack token issue to make it functional without admin.
---- On Wed, 28 May 2025 06:00:14 -0700 Sean Mooney <smooney@redhat.com> wrote ---
On 28/05/2025 12:05, sluge@mail.ru wrote:
Hi everyone, I'm currently writing a custom nova's policy for my new role myrole. The current task is to create a role for a user with member role already assigned to see servers from other project. For example, I got a token for my user in project1, but want to see servers on project2, where my user has a member and myrole roles also. I added to nova's policy.json line: "os_compute_api:servers:show": "rule:project_reader_or_admin or role:myrole" I already assigned to my user roles member and myrole in the project1 and project2. But I always got a 404 error when I want to show servers from project2. I get 404 even when I use "os_compute_api:servers:show": "" i.e. always true.
server are a project scoped resouces and unless set the project id when creaqting the token to project2 i would expect a
request with project ones project to fial. you may be able to pass --all-projects to allow a token issues for a diffent proejct to funciton
but nova is not really designed for this type of cross project query.
It only works if I use token of admin user or my user has admin role in project2. It looks like some operations are available for admins only?
there are some limited places where we still enforce the porject at the db level.
custom policy is not really intended to make this type of change work.
non admins are quried to use a token that is issues for the project that the reousce is owned by
Yeah, Nova does not decide the ownership by role within projects, but by user within the project and with their permission level to perform the operation. We still have many admin role checks at the DB level, and policy changes will not make them work. You need admin rights for cross-project queries, and with 'os_compute_api:servers:index:get_all_tenants' policy is allowed for admin (which is the default). -gmaan
if you have added teh user to both projects with your custom role you shoudl be able ot change the project to project 2 in your cloud.yaml
or when usign openack token issue to make it functional without admin.
Hello, Thanks a lot for your quick response. I used my role for 1. "os_compute_api:servers:detail:get_all_tenants": "(rule:context_is_admin) or (role:myrole)" -- it works! 2. "os_compute_api:servers:index:get_all_tenants": "(rule:context_is_admin) or (role:myrole)" -- it works! 3. "os_compute_api:servers:allow_all_filters": "(rule:context_is_admin) or (role:myrole)" -- it works! 4. "os_compute_api:servers:show": "rule:project_reader_or_admin or role:myrole" -- it does not work ( All of these four targets has "Intended scope(s): project" due to oslo policy-sample-generator utility output. Could you please suggest where to get extra info of limitations for different nova and keystone targets? DB triggers?
participants (3)
-
Ghanshyam Maan
-
Sean Mooney
-
sluge@mail.ru