haha, you are right. Should this also be changed so you don't end up with "admin" privileges on all tenants?
From: "admin_or_owner": "is_admin:True or project_id:%(project_id)s", To: "admin_or_owner": "role:admin or project_id:%(project_id)s", Note: I'm trying to find a temporary way to no have to wait for Nova to remove all occurrences of "if not context.is_admin". Mathieu On 2015-06-11 6:13 PM, Sławek Kapłoński wrote: > Hello, > > But AFAIK this will add someone with role "special_role" same priviliges as > someone who has got "admin" role, right? > > -- > Pozdrawiam / Best regards > Sławek Kapłoński > [email protected] > > Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze: >> You can add your new role to this policy: >> >> "context_is_admin": "role:admin or role:special_role", >> >> It will set "is_admin" to True in the context. I'm not sure of the >> side-effect to be honest. Use at your own risk... >> >> Mathieu >> >> On 2015-06-11 4:59 PM, George Shuklin wrote: >>> Thank you! >>> >>> You saved me a day of the work. Well, we'll move a script to admin user >>> instead of normal user with the special role. >>> >>> PS And thanks for filling a bugreport too. >>> >>> On 06/11/2015 10:40 PM, Sławek Kapłoński wrote: >>>> Hello, >>>> >>>> I don't think it is possible because in nova/db/sqlalchemy/api.py in >>>> function instance_get_all_by_filters You have something like: >>>> >>>> if not context.is_admin: >>>> # If we're not admin context, add appropriate filter.. >>>> >>>> if context.project_id: >>>> filters['project_id'] = context.project_id >>>> >>>> else: >>>> filters['user_id'] = context.user_id >>>> >>>> This is from Juno, but in Kilo it is the same. So in fact even if You >>>> will set proper policy.json rules it will still require admin context to >>>> search instances from different tenants. Maybe I'm wrong and this is in >>>> some other place possible and maybe someone will show me where because I >>>> was also looking for it last time :) >>>> >>>> -- >>>> Pozdrawiam / Best regards >>>> Sławek Kapłoński >>>> [email protected] >>>> >>>> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze: >>>>> Hello. >>>>> >>>>> I'm trying to allow a user with special role to see all instances of all >>>>> tenants without giving him admin privileges. >>>>> >>>>> My initial attempt was to change policy.json for nova to >>>>> "compute:get_all_tenants": "role:special_role or is_admin:True". >>>>> >>>>> But it didn't work well. >>>>> >>>>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR >>>>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be >>>>> performed.'), but the returned list is empty: >>>>> >>>>> nova list --all-tenants >>>>> +----+------+--------+------------+-------------+----------+ >>>>> >>>>> | ID | Name | Status | Task State | Power State | Networks | >>>>> >>>>> +----+------+--------+------------+-------------+----------+ >>>>> +----+------+--------+------------+-------------+----------+ >>>>> >>>>> >>>>> Any ideas how to allow a user without admin privileges to see all >>>>> instances? >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OpenStack-operators mailing list >>>>> [email protected] >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>>>> >>>>> >>>>> _______________________________________________ >>>>> OpenStack-operators mailing list >>>>> [email protected] >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> >> _______________________________________________ >> OpenStack-operators mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
