[openstack-dev] [openstack] [nova] admin user create instance for another user/tenant

Solly Ross sross at redhat.com
Mon Apr 7 17:44:26 UTC 2014


Simon, please use the operators list or general list for questions such as this in the future.
https://wiki.openstack.org/wiki/Mailing_Lists#General_List

Best Regards,
Solly Ross

----- Original Message -----
From: "Xu (Simon) Chen" <xchenum at gmail.com>
To: openstack-dev at lists.openstack.org
Sent: Saturday, April 5, 2014 12:17:05 AM
Subject: [openstack-dev] [openstack] [nova] admin user create instance for	another user/tenant

I wonder if there is a way to do the following. I have a user A with admin role in tenant A, and I want to create a VM in/for tenant B as user A. Obviously, I can use A's admin privilege to add itself to tenant B, but I want to avoid that. 

Based on the policy.json file, it seems doable: 
https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L8 

I read this as, as long as a user is an admin, it can create an instance.. Just like an admin user can remove an instance from another tenant. 

But in here, it looks like as long as the context project ID and target project ID don't match, an action would be rejected: 
https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L968 

Indeed, when I try to use user A's token to create a VM (POST to v2/<tenant_b>/servers), I got the exception from the above link. 

On the other hand, according to here, VM's project_id only comes from the context: 
https://github.com/openstack/nova/blob/master/nova/compute/api.py#L767 

I wonder if it makes sense to allow admin users to specify a "project_id" field (which overrides context.project_id) when creating a VM. This probably requires non-trivial code change. 

Or maybe there is another way of doing what I want? 

Thanks. 
-Simon 


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list