[openstack-dev] [openstack] [nova] admin user create instance for another user/tenant

Xu (Simon) Chen xchenum at gmail.com
Mon Apr 7 19:55:38 UTC 2014


Solly,

My point is that this feature (creating a VM for a tenant as an admin in
another project) might not be possible given the current implementation.
I've pointed out two places in nova code, from which I drew my conclusion.

Since this potentially requires a code change, I think the dev mailing list
is somewhat appropriate...

Thanks.
-Simon



On Mon, Apr 7, 2014 at 1:44 PM, Solly Ross <sross at redhat.com> wrote:

> Simon, please use the operators list or general list for questions such as
> this in the future.
> https://wiki.openstack.org/wiki/Mailing_Lists#General_List
>
> Best Regards,
> Solly Ross
>
> ----- Original Message -----
> From: "Xu (Simon) Chen" <xchenum at gmail.com>
> To: openstack-dev at lists.openstack.org
> Sent: Saturday, April 5, 2014 12:17:05 AM
> Subject: [openstack-dev] [openstack] [nova] admin user create instance for
>      another user/tenant
>
> I wonder if there is a way to do the following. I have a user A with admin
> role in tenant A, and I want to create a VM in/for tenant B as user A.
> Obviously, I can use A's admin privilege to add itself to tenant B, but I
> want to avoid that.
>
> Based on the policy.json file, it seems doable:
> https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L8
>
> I read this as, as long as a user is an admin, it can create an instance..
> Just like an admin user can remove an instance from another tenant.
>
> But in here, it looks like as long as the context project ID and target
> project ID don't match, an action would be rejected:
>
> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L968
>
> Indeed, when I try to use user A's token to create a VM (POST to
> v2/<tenant_b>/servers), I got the exception from the above link.
>
> On the other hand, according to here, VM's project_id only comes from the
> context:
> https://github.com/openstack/nova/blob/master/nova/compute/api.py#L767
>
> I wonder if it makes sense to allow admin users to specify a "project_id"
> field (which overrides context.project_id) when creating a VM. This
> probably requires non-trivial code change.
>
> Or maybe there is another way of doing what I want?
>
> Thanks.
> -Simon
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140407/bf7ef625/attachment.html>


More information about the OpenStack-dev mailing list