Open Stack

I wonder if there is a way to do the following. I have a user A with admin
role in tenant A, and I want to create a VM in/for tenant B as user A.
Obviously, I can use A's admin privilege to add itself to tenant B, but I
want to avoid that.

Based on the policy.json file, it seems doable:
https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L8

I read this as, as long as a user is an admin, it can create an instance..
Just like an admin user can remove an instance from another tenant.

But in here, it looks like as long as the context project ID and target
project ID don't match, an action would be rejected:
https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L968

Indeed, when I try to use user A's token to create a VM (POST to
v2/<tenant_b>/servers), I got the exception from the above link.

On the other hand, according to here, VM's project_id only comes from the
context:
https://github.com/openstack/nova/blob/master/nova/compute/api.py#L767

I wonder if it makes sense to allow admin users to specify a "project_id"
field (which overrides context.project_id) when creating a VM. This
probably requires non-trivial code change.

Or maybe there is another way of doing what I want?

Thanks.
-Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140405/80df323a/attachment.html>