[Openstack-operators] Allow user to see instances of other users

Clint Byrum clint at fewbar.com
Thu Jun 11 20:02:16 UTC 2015

Excerpts from Sławek Kapłoński's message of 2015-06-11 12:40:36 -0700:
> Hello,
> I don't think it is possible because in nova/db/sqlalchemy/api.py in function 
> instance_get_all_by_filters You have something like:
> if not context.is_admin:
>         # If we're not admin context, add appropriate filter..
>         if context.project_id:
>             filters['project_id'] = context.project_id
>         else:
>             filters['user_id'] = context.user_id
> This is from Juno, but in Kilo it is the same. So in fact even if You will set 
> proper policy.json rules it will still require admin context to search 
> instances from different tenants. Maybe I'm wrong and this is in some other 
> place possible and maybe someone will show me where because I was also looking 
> for it last time :)

Looks like a bug to me. The check should just enforce that there is one
of those filters if not context.is_admin.


I'd suggest referencing this mailing list thread.

More information about the OpenStack-operators mailing list