Hello, I thought so but I was not sure :) I just made bug report for that: https://bugs.launchpad.net/nova/+bug/1464381 -- Pozdrawiam / Best regards Sławek Kapłoński slawek at kaplonski.pl Dnia czwartek, 11 czerwca 2015 13:02:16 Clint Byrum pisze: > Excerpts from Sławek Kapłoński's message of 2015-06-11 12:40:36 -0700: > > Hello, > > > > I don't think it is possible because in nova/db/sqlalchemy/api.py in > > function instance_get_all_by_filters You have something like: > > > > if not context.is_admin: > > # If we're not admin context, add appropriate filter.. > > > > if context.project_id: > > filters['project_id'] = context.project_id > > > > else: > > filters['user_id'] = context.user_id > > > > This is from Juno, but in Kilo it is the same. So in fact even if You will > > set proper policy.json rules it will still require admin context to > > search instances from different tenants. Maybe I'm wrong and this is in > > some other place possible and maybe someone will show me where because I > > was also looking for it last time :) > > Looks like a bug to me. The check should just enforce that there is one > of those filters if not context.is_admin. > > https://launchpad.net/nova/+filebug > > I'd suggest referencing this mailing list thread. > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150611/1eba20eb/attachment.pgp>