Solly, My point is that this feature (creating a VM for a tenant as an admin in another project) might not be possible given the current implementation. I've pointed out two places in nova code, from which I drew my conclusion.
Since this potentially requires a code change, I think the dev mailing list is somewhat appropriate... Thanks. -Simon On Mon, Apr 7, 2014 at 1:44 PM, Solly Ross <[email protected]> wrote: > Simon, please use the operators list or general list for questions such as > this in the future. > https://wiki.openstack.org/wiki/Mailing_Lists#General_List > > Best Regards, > Solly Ross > > ----- Original Message ----- > From: "Xu (Simon) Chen" <[email protected]> > To: [email protected] > Sent: Saturday, April 5, 2014 12:17:05 AM > Subject: [openstack-dev] [openstack] [nova] admin user create instance for > another user/tenant > > I wonder if there is a way to do the following. I have a user A with admin > role in tenant A, and I want to create a VM in/for tenant B as user A. > Obviously, I can use A's admin privilege to add itself to tenant B, but I > want to avoid that. > > Based on the policy.json file, it seems doable: > https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L8 > > I read this as, as long as a user is an admin, it can create an instance.. > Just like an admin user can remove an instance from another tenant. > > But in here, it looks like as long as the context project ID and target > project ID don't match, an action would be rejected: > > https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L968 > > Indeed, when I try to use user A's token to create a VM (POST to > v2/<tenant_b>/servers), I got the exception from the above link. > > On the other hand, according to here, VM's project_id only comes from the > context: > https://github.com/openstack/nova/blob/master/nova/compute/api.py#L767 > > I wonder if it makes sense to allow admin users to specify a "project_id" > field (which overrides context.project_id) when creating a VM. This > probably requires non-trivial code change. > > Or maybe there is another way of doing what I want? > > Thanks. > -Simon > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
