Hello, Magnum has a periodic task that checks the state of the Heat stacks it creates for its bays. It does this across all users/tenants that have Magnum bays. Currently it uses a global stack-list operation to query these Heat stacks:
https://github.com/openstack/magnum/blob/master/magnum/service/periodic.py#L83 Now the Magnum service user does not normally have permission to perform this operation, hence the Magnum documentation currently suggests the following change to Heat's policy.json: | stacks:global_index: "role:admin", This is less than optimal since it allows any tenant's admin user to perform a global stack-list. Would it be an option to have something like this in Heat's default policy.json? | stacks:global_index: "role:service", That way the global stack-list would be restricted to service users and seting Magnum (or other services that use Heat internally) wouldn't need a change to Heat's policy.json. If that kind of approach is feasible I'd be happy to submit a change. Cheers, Johannes -- Johannes Grassler, Cloud Developer SUSE Linux GmbH, HRB 21284 (AG Nürnberg) GF: Felix Imendörffer, Jane Smithard, Graham Norton Maxfeldstr. 5, 90409 Nürnberg, Germany __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev