Hello, But AFAIK this will add someone with role "special_role" same priviliges as someone who has got "admin" role, right?
-- Pozdrawiam / Best regards Sławek Kapłoński [email protected] Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze: > You can add your new role to this policy: > > "context_is_admin": "role:admin or role:special_role", > > It will set "is_admin" to True in the context. I'm not sure of the > side-effect to be honest. Use at your own risk... > > Mathieu > > On 2015-06-11 4:59 PM, George Shuklin wrote: > > Thank you! > > > > You saved me a day of the work. Well, we'll move a script to admin user > > instead of normal user with the special role. > > > > PS And thanks for filling a bugreport too. > > > > On 06/11/2015 10:40 PM, Sławek Kapłoński wrote: > >> Hello, > >> > >> I don't think it is possible because in nova/db/sqlalchemy/api.py in > >> function instance_get_all_by_filters You have something like: > >> > >> if not context.is_admin: > >> # If we're not admin context, add appropriate filter.. > >> > >> if context.project_id: > >> filters['project_id'] = context.project_id > >> > >> else: > >> filters['user_id'] = context.user_id > >> > >> This is from Juno, but in Kilo it is the same. So in fact even if You > >> will set proper policy.json rules it will still require admin context to > >> search instances from different tenants. Maybe I'm wrong and this is in > >> some other place possible and maybe someone will show me where because I > >> was also looking for it last time :) > >> > >> -- > >> Pozdrawiam / Best regards > >> Sławek Kapłoński > >> [email protected] > >> > >> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze: > >>> Hello. > >>> > >>> I'm trying to allow a user with special role to see all instances of all > >>> tenants without giving him admin privileges. > >>> > >>> My initial attempt was to change policy.json for nova to > >>> "compute:get_all_tenants": "role:special_role or is_admin:True". > >>> > >>> But it didn't work well. > >>> > >>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR > >>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be > >>> performed.'), but the returned list is empty: > >>> > >>> nova list --all-tenants > >>> +----+------+--------+------------+-------------+----------+ > >>> > >>> | ID | Name | Status | Task State | Power State | Networks | > >>> > >>> +----+------+--------+------------+-------------+----------+ > >>> +----+------+--------+------------+-------------+----------+ > >>> > >>> > >>> Any ideas how to allow a user without admin privileges to see all > >>> instances? > >>> > >>> > >>> > >>> _______________________________________________ > >>> OpenStack-operators mailing list > >>> [email protected] > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >>> > >>> > >>> _______________________________________________ > >>> OpenStack-operators mailing list > >>> [email protected] > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > _______________________________________________ > > OpenStack-operators mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
