[Openstack-operators] Allow user to see instances of other users

George Shuklin george.shuklin at gmail.com
Thu Jun 11 20:59:39 UTC 2015 

Thank you!

You saved me a day of the work. Well, we'll move a script to admin user 
instead of normal user with the special role.

PS And thanks for filling a bugreport too.

On 06/11/2015 10:40 PM, Sławek Kapłoński wrote:
> Hello,
>
> I don't think it is possible because in nova/db/sqlalchemy/api.py in function
> instance_get_all_by_filters You have something like:
>
> if not context.is_admin:
>          # If we're not admin context, add appropriate filter..
>          if context.project_id:
>              filters['project_id'] = context.project_id
>          else:
>              filters['user_id'] = context.user_id
>
> This is from Juno, but in Kilo it is the same. So in fact even if You will set
> proper policy.json rules it will still require admin context to search
> instances from different tenants. Maybe I'm wrong and this is in some other
> place possible and maybe someone will show me where because I was also looking
> for it last time :)
>
> --
> Pozdrawiam / Best regards
> Sławek Kapłoński
> slawek at kaplonski.pl
>
> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
>> Hello.
>>
>> I'm trying to allow a user with special role to see all instances of all
>> tenants without giving him admin privileges.
>>
>> My initial attempt was to change policy.json for nova to
>> "compute:get_all_tenants": "role:special_role or is_admin:True".
>>
>> But it didn't work well.
>>
>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR
>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
>> performed.'), but the returned list is empty:
>>
>> nova list  --all-tenants
>> +----+------+--------+------------+-------------+----------+
>>
>> | ID | Name | Status | Task State | Power State | Networks |
>>
>> +----+------+--------+------------+-------------+----------+
>> +----+------+--------+------------+-------------+----------+
>>
>>
>> Any ideas how to allow a user without admin privileges to see all instances?
>>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150611/f1dc8b18/attachment.html>

More information about the OpenStack-operators mailing list