[Openstack] EC2 api and tenants

Mitchell Broome mitchell.broome at gmail.com
Fri Aug 3 12:32:13 UTC 2012


Ryan,

This looks like what the problem was.  I'm running 2012.1 from the
epel packages on centos 6.2.  The ec2 layer doesn't look like it
follows policy.json by default.  It still has roles for netadmin,
sysadmin and projectmanager hard coded in nova/api/ec2/__init__.py.
Right now, I'm just making use of netadmin and sysadmin rather than
creating new rules in policy.json.



On Thu, Aug 2, 2012 at 6:51 PM, Ryan Lane <rlane at wikimedia.org> wrote:
> On Thu, Aug 2, 2012 at 1:23 PM, Mitchell Broome
> <mitchell.broome at gmail.com> wrote:
>> I'm using essex 2012.1 and I'm running into an issue with tenant
>> separation using the ec2 api.  I end up having to give a user the
>> 'admin' role in keytone to create instances within a tenant.  I can
>> live with that but the problem is, now that the user has 'admin', they
>> also see all of the instances including ones from other tenants via a
>> describe_instances().
>>
>> If I only give them the 'Member' role, they can only see the instances
>> within thier default tenant but they can't create instances.  Also, if
>> they only have 'Member', I'm able to create instances via horizon
>> manually.
>>
>> I'm assuming I'm missing some combination of roles I need to setup to
>> allow a users to create instances in thier default tenant but not see
>> other instances in other tenants.
>>
>
> So far, from what I can tell, you need to add custom roles (or
> continue using sysadmin and netadmin), and add these roles to the
> proper actions in policy.json.
>
> - Ryan




More information about the Openstack mailing list