Hello, I don't know if such solution will work properly. I don't have possibility to check it now :/
-- Pozdrawiam / Best regards Sławek Kapłoński [email protected] Dnia czwartek, 11 czerwca 2015 18:28:57 Mathieu Gagné pisze: > haha, you are right. > > Should this also be changed so you don't end up with "admin" privileges > on all tenants? > > From: > > "admin_or_owner": "is_admin:True or project_id:%(project_id)s", > > To: > > "admin_or_owner": "role:admin or project_id:%(project_id)s", > > Note: I'm trying to find a temporary way to no have to wait for Nova to > remove all occurrences of "if not context.is_admin". > > Mathieu > > On 2015-06-11 6:13 PM, Sławek Kapłoński wrote: > > Hello, > > > > But AFAIK this will add someone with role "special_role" same priviliges > > as > > someone who has got "admin" role, right? > > > > -- > > Pozdrawiam / Best regards > > Sławek Kapłoński > > [email protected] > > > > Dnia czwartek, 11 czerwca 2015 18:08:38 Mathieu Gagné pisze: > >> You can add your new role to this policy: > >> "context_is_admin": "role:admin or role:special_role", > >> > >> It will set "is_admin" to True in the context. I'm not sure of the > >> side-effect to be honest. Use at your own risk... > >> > >> Mathieu > >> > >> On 2015-06-11 4:59 PM, George Shuklin wrote: > >>> Thank you! > >>> > >>> You saved me a day of the work. Well, we'll move a script to admin user > >>> instead of normal user with the special role. > >>> > >>> PS And thanks for filling a bugreport too. > >>> > >>> On 06/11/2015 10:40 PM, Sławek Kapłoński wrote: > >>>> Hello, > >>>> > >>>> I don't think it is possible because in nova/db/sqlalchemy/api.py in > >>>> function instance_get_all_by_filters You have something like: > >>>> > >>>> if not context.is_admin: > >>>> # If we're not admin context, add appropriate filter.. > >>>> > >>>> if context.project_id: > >>>> filters['project_id'] = context.project_id > >>>> > >>>> else: > >>>> filters['user_id'] = context.user_id > >>>> > >>>> This is from Juno, but in Kilo it is the same. So in fact even if You > >>>> will set proper policy.json rules it will still require admin context > >>>> to > >>>> search instances from different tenants. Maybe I'm wrong and this is in > >>>> some other place possible and maybe someone will show me where because > >>>> I > >>>> was also looking for it last time :) > >>>> > >>>> -- > >>>> Pozdrawiam / Best regards > >>>> Sławek Kapłoński > >>>> [email protected] > >>>> > >>>> Dnia czwartek, 11 czerwca 2015 21:06:31 George Shuklin pisze: > >>>>> Hello. > >>>>> > >>>>> I'm trying to allow a user with special role to see all instances of > >>>>> all > >>>>> tenants without giving him admin privileges. > >>>>> > >>>>> My initial attempt was to change policy.json for nova to > >>>>> "compute:get_all_tenants": "role:special_role or is_admin:True". > >>>>> > >>>>> But it didn't work well. > >>>>> > >>>>> The command (nova list --all-tenants) is not failing anymore (no > >>>>> 'ERROR > >>>>> (Forbidden): Policy doesn't allow compute:get_all_tenants to be > >>>>> performed.'), but the returned list is empty: > >>>>> > >>>>> nova list --all-tenants > >>>>> +----+------+--------+------------+-------------+----------+ > >>>>> > >>>>> | ID | Name | Status | Task State | Power State | Networks | > >>>>> > >>>>> +----+------+--------+------------+-------------+----------+ > >>>>> +----+------+--------+------------+-------------+----------+ > >>>>> > >>>>> > >>>>> Any ideas how to allow a user without admin privileges to see all > >>>>> instances? > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> OpenStack-operators mailing list > >>>>> [email protected] > >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator > >>>>> s > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> OpenStack-operators mailing list > >>>>> [email protected] > >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator > >>>>> s > >>> > >>> _______________________________________________ > >>> OpenStack-operators mailing list > >>> [email protected] > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >> > >> _______________________________________________ > >> OpenStack-operators mailing list > >> [email protected] > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > _______________________________________________ > > OpenStack-operators mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
