Open Stack

On Thu, Aug 2, 2012 at 1:23 PM, Mitchell Broome
<mitchell.broome at gmail.com> wrote:
> I'm using essex 2012.1 and I'm running into an issue with tenant
> separation using the ec2 api.  I end up having to give a user the
> 'admin' role in keytone to create instances within a tenant.  I can
> live with that but the problem is, now that the user has 'admin', they
> also see all of the instances including ones from other tenants via a
> describe_instances().
>
> If I only give them the 'Member' role, they can only see the instances
> within thier default tenant but they can't create instances.  Also, if
> they only have 'Member', I'm able to create instances via horizon
> manually.
>
> I'm assuming I'm missing some combination of roles I need to setup to
> allow a users to create instances in thier default tenant but not see
> other instances in other tenants.
>

So far, from what I can tell, you need to add custom roles (or
continue using sysadmin and netadmin), and add these roles to the
proper actions in policy.json.

- Ryan