On Thu, Aug 2, 2012 at 1:23 PM, Mitchell Broome <[email protected]> wrote: > I'm using essex 2012.1 and I'm running into an issue with tenant > separation using the ec2 api. I end up having to give a user the > 'admin' role in keytone to create instances within a tenant. I can > live with that but the problem is, now that the user has 'admin', they > also see all of the instances including ones from other tenants via a > describe_instances(). > > If I only give them the 'Member' role, they can only see the instances > within thier default tenant but they can't create instances. Also, if > they only have 'Member', I'm able to create instances via horizon > manually. > > I'm assuming I'm missing some combination of roles I need to setup to > allow a users to create instances in thier default tenant but not see > other instances in other tenants. >
So far, from what I can tell, you need to add custom roles (or continue using sysadmin and netadmin), and add these roles to the proper actions in policy.json. - Ryan _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
