You can add your new role to this policy: "context_is_admin": "role:admin or role:special_role",
It will set "is_admin" to True in the context. I'm not sure of the side-effect to be honest. Use at your own risk... Mathieu On 2015-06-11 4:59 PM, George Shuklin wrote: > Thank you! > > You saved me a day of the work. Well, we'll move a script to admin user > instead of normal user with the special role. > > PS And thanks for filling a bugreport too. > > On 06/11/2015 10:40 PM, Sławek Kapłoński wrote: >> Hello, >> >> I don't think it is possible because in nova/db/sqlalchemy/api.py in >> function >> instance_get_all_by_filters You have something like: >> >> if not context.is_admin: >> # If we're not admin context, add appropriate filter.. >> if context.project_id: >> filters['project_id'] = context.project_id >> else: >> filters['user_id'] = context.user_id >> >> This is from Juno, but in Kilo it is the same. So in fact even if You will >> set >> proper policy.json rules it will still require admin context to search >> instances from different tenants. Maybe I'm wrong and this is in some other >> place possible and maybe someone will show me where because I was also >> looking >> for it last time :) >> >> -- >> Pozdrawiam / Best regards >> Sławek Kapłoński >> [email protected] >> >> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze: >>> Hello. >>> >>> I'm trying to allow a user with special role to see all instances of all >>> tenants without giving him admin privileges. >>> >>> My initial attempt was to change policy.json for nova to >>> "compute:get_all_tenants": "role:special_role or is_admin:True". >>> >>> But it didn't work well. >>> >>> The command (nova list --all-tenants) is not failing anymore (no 'ERROR >>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be >>> performed.'), but the returned list is empty: >>> >>> nova list --all-tenants >>> +----+------+--------+------------+-------------+----------+ >>> >>> | ID | Name | Status | Task State | Power State | Networks | >>> >>> +----+------+--------+------------+-------------+----------+ >>> +----+------+--------+------------+-------------+----------+ >>> >>> >>> Any ideas how to allow a user without admin privileges to see all instances? >>> >>> >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>> >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
