Hello - I'm using Liberty release devstack for the below scenario. I
have created project "abcd" with "john" as Member. I've launched one
instance, I can use curl to list the instance. No problem.
I then modify /etc/nova/policy.json and redefine "admin_or_owner" as
follows:
"admin_or_owner": "role:admin or is_admin:True or
project_id:%(project_id)s",
My expectation was that I would be able to list the instance in abcd
using a token of admin. However, when I use the token of user "admin" in
project "admin" to list the instances I get the following error:
/stack@vlab:~/token$ curl
http://localhost:8774/v2.1///378a4b9e0b594c24a8a753cfa40ecc14///servers/detail
-H "User-Agent: python-novaclient" -H "Accept: application/json" -H
"X-OpenStack-Nova-API-Version: 2.6" -H "X-Auth-Token:
f221164cd9b44da6beec70d6e1f3382f"//
//{"badRequest": {"message": "Malformed request URL: URL's project_id
'//378a4b9e0b594c24a8a753cfa40ecc14//' doesn't match Context's
project_id '//f73175d9cc8b4fb58ad22021f03bfef5//'", "code": 400}}/
378a4b9e0b594c24a8a753cfa40ecc14 is project id of abcd and
f73175d9cc8b4fb58ad22021f03bfef5 is project id of admin.
I'm confused by this behavior and the reported error, because if the
project id used to acquire the token is the same as the project id in
/servers/detail then I would be an "owner". So where is the "admin" in
"admin_or_owner"? Shouldn't the "role:admin" allow me to do whatever
functionality "rule:admin_or_owner" allows in policy.json, regardless of
the project id used to acquire the token?
I do understand that I can use the admin user and project to get all
instances of all tenants:
/curl
http://localhost:8774/v2.1/f73175d9cc8b4fb58ad22021f03bfef5/servers/detail?all_tenants=1
-H "User-Agent: python-novaclient" -H "Accept: application/json" -H
"X-OpenStack-Nova-API-Version: 2.6" -H "X-Auth-Token: $1"/
My question is more centered around why nova has the additional check to
make sure that the token project id matches the url project id - and
whether this is a keystone requirement, or only nova/cinder and programs
that have a project-id in their API choose to do this. In other words,
is it the developers of each project that decide to only expose some
APIs for administrative functionality (such all-tenants), but restrict
everything else to owners, or keystone requires this check?
Thanks,
Reza
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev