[Openstack-operators] Allow user to see instances of other users

Sławek Kapłoński slawek at kaplonski.pl
Thu Jun 11 22:13:34 UTC 2015


Hello,

But AFAIK this will add someone with role "special_role" same priviliges as 
someone who has got "admin" role, right?

--
Pozdrawiam / Best regards
Sławek Kapłoński
slawek at kaplonski.pl

Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze:
> You can add your new role to this policy:
> 
>   "context_is_admin":  "role:admin or role:special_role",
> 
> It will set "is_admin" to True in the context. I'm not sure of the
> side-effect to be honest. Use at your own risk...
> 
> Mathieu
> 
> On 2015-06-11 4:59 PM, George Shuklin wrote:
> > Thank you!
> > 
> > You saved me a day of the work. Well, we'll move a script to admin user
> > instead of normal user with the special role.
> > 
> > PS And thanks for filling a bugreport too.
> > 
> > On 06/11/2015 10:40 PM, Sławek Kapłoński wrote:
> >> Hello,
> >> 
> >> I don't think it is possible because in nova/db/sqlalchemy/api.py in
> >> function instance_get_all_by_filters You have something like:
> >> 
> >> if not context.is_admin:
> >>         # If we're not admin context, add appropriate filter..
> >>         
> >>         if context.project_id:
> >>             filters['project_id'] = context.project_id
> >>         
> >>         else:
> >>             filters['user_id'] = context.user_id
> >> 
> >> This is from Juno, but in Kilo it is the same. So in fact even if You
> >> will set proper policy.json rules it will still require admin context to
> >> search instances from different tenants. Maybe I'm wrong and this is in
> >> some other place possible and maybe someone will show me where because I
> >> was also looking for it last time :)
> >> 
> >> --
> >> Pozdrawiam / Best regards
> >> Sławek Kapłoński
> >> slawek at kaplonski.pl
> >> 
> >> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze:
> >>> Hello.
> >>> 
> >>> I'm trying to allow a user with special role to see all instances of all
> >>> tenants without giving him admin privileges.
> >>> 
> >>> My initial attempt was to change policy.json for nova to
> >>> "compute:get_all_tenants": "role:special_role or is_admin:True".
> >>> 
> >>> But it didn't work well.
> >>> 
> >>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR
> >>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be
> >>> performed.'), but the returned list is empty:
> >>> 
> >>> nova list  --all-tenants
> >>> +----+------+--------+------------+-------------+----------+
> >>> 
> >>> | ID | Name | Status | Task State | Power State | Networks |
> >>> 
> >>> +----+------+--------+------------+-------------+----------+
> >>> +----+------+--------+------------+-------------+----------+
> >>> 
> >>> 
> >>> Any ideas how to allow a user without admin privileges to see all
> >>> instances?
> >>> 
> >>> 
> >>> 
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>> 
> >>> 
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > 
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



More information about the OpenStack-operators mailing list