This is getting handled as part of the process of bubbling up all of the policy checks to the API level - although targetted for the V3 API it will also affect the V2 API.
https://blueprints.launchpad.net/nova/+spec/v3-api-policy So I'm closing this bug as it will be tracked through the blueprint instead. ** Changed in: nova Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1168488 Title: host-list policy irrelevant Status in OpenStack Compute (Nova): Won't Fix Bug description: There are some compute REST APIs where the policy setting is irrelevant because they require admin. host-list is an example. To recreate, start with devstack, set up so that you're running as demo user. $ export OS_USERNAME=demo $ export OS_PASSWORD=mypwd $ export OS_TENANT_NAME=demo $ export OS_AUTH_URL=http://localhost:5000/v2.0 $ export OS_NO_CACHE=1 # First try with the default policy: $ grep compute_extension:hosts /etc/nova/policy.json "compute_extension:hosts": "rule:admin_api", $ nova host-list ERROR: Policy doesn't allow compute_extension:hosts to be performed. (HTTP 403) (Request-ID: req-b2b9408c-4498-4994-aee7-100cf6acf571) # Change policy so that anyone can view hosts: $ grep compute_extension:hosts /etc/nova/policy.json "compute_extension:hosts": "", $ nova host-list ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-48983c2e-784c-4bb5-82ac-6116a67f6fe1) It was expected that since I configured the policy so that anyone could view hosts that a non-admin user could list hosts. Nova should respect the policy that the admin configured and not force its own. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1168488/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp