[Openstack-operators] Allow user to see instances of other users

Sławek Kapłoński slawek at kaplonski.pl
Thu Jun 11 19:40:36 UTC 2015


I don't think it is possible because in nova/db/sqlalchemy/api.py in function 
instance_get_all_by_filters You have something like:

if not context.is_admin:
        # If we're not admin context, add appropriate filter..
        if context.project_id:
            filters['project_id'] = context.project_id
            filters['user_id'] = context.user_id

This is from Juno, but in Kilo it is the same. So in fact even if You will set 
proper policy.json rules it will still require admin context to search 
instances from different tenants. Maybe I'm wrong and this is in some other 
place possible and maybe someone will show me where because I was also looking 
for it last time :)

Pozdrawiam / Best regards
Sławek Kapłoński
slawek at kaplonski.pl

Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
> Hello.
> I'm trying to allow a user with special role to see all instances of all
> tenants without giving him admin privileges.
> My initial attempt was to change policy.json for nova to
> "compute:get_all_tenants": "role:special_role or is_admin:True".
> But it didn't work well.
> The command (nova list --all-tenants) is not failing anymore (no 'ERROR
> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
> performed.'), but the returned list is empty:
> nova list  --all-tenants
> +----+------+--------+------------+-------------+----------+
> | ID | Name | Status | Task State | Power State | Networks |
> +----+------+--------+------------+-------------+----------+
> +----+------+--------+------------+-------------+----------+
> Any ideas how to allow a user without admin privileges to see all instances?
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150611/3774ef24/attachment.pgp>

More information about the OpenStack-operators mailing list