[Openstack-operators] Allow user to see instances of other users

Mathieu Gagné mgagne at iweb.com
Thu Jun 11 22:08:38 UTC 2015 

You can add your new role to this policy:

  "context_is_admin":  "role:admin or role:special_role",

It will set "is_admin" to True in the context. I'm not sure of the
side-effect to be honest. Use at your own risk...

Mathieu

On 2015-06-11 4:59 PM, George Shuklin wrote:
> Thank you!
> 
> You saved me a day of the work. Well, we'll move a script to admin user
> instead of normal user with the special role.
> 
> PS And thanks for filling a bugreport too.
> 
> On 06/11/2015 10:40 PM, Sławek Kapłoński wrote:
>> Hello,
>>
>> I don't think it is possible because in nova/db/sqlalchemy/api.py in function 
>> instance_get_all_by_filters You have something like:
>>
>> if not context.is_admin:
>>         # If we're not admin context, add appropriate filter..
>>         if context.project_id:
>>             filters['project_id'] = context.project_id
>>         else:
>>             filters['user_id'] = context.user_id
>>
>> This is from Juno, but in Kilo it is the same. So in fact even if You will set 
>> proper policy.json rules it will still require admin context to search 
>> instances from different tenants. Maybe I'm wrong and this is in some other 
>> place possible and maybe someone will show me where because I was also looking 
>> for it last time :)
>>
>> --
>> Pozdrawiam / Best regards
>> Sławek Kapłoński
>> slawek at kaplonski.pl
>>
>> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
>>> Hello.
>>>
>>> I'm trying to allow a user with special role to see all instances of all
>>> tenants without giving him admin privileges.
>>>
>>> My initial attempt was to change policy.json for nova to
>>> "compute:get_all_tenants": "role:special_role or is_admin:True".
>>>
>>> But it didn't work well.
>>>
>>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR
>>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
>>> performed.'), but the returned list is empty:
>>>
>>> nova list  --all-tenants
>>> +----+------+--------+------------+-------------+----------+
>>>
>>> | ID | Name | Status | Task State | Power State | Networks |
>>>
>>> +----+------+--------+------------+-------------+----------+
>>> +----+------+--------+------------+-------------+----------+
>>>
>>>
>>> Any ideas how to allow a user without admin privileges to see all instances?
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 
> 
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>

More information about the OpenStack-operators mailing list