openstack team mailing list archive

[Mitchell Broome <mitchell.broome@xxxxxxxxx>]

I'm using essex 2012.1 and I'm running into an issue with tenant
separation using the ec2 api.  I end up having to give a user the
'admin' role in keytone to create instances within a tenant.  I can
live with that but the problem is, now that the user has 'admin', they
also see all of the instances including ones from other tenants via a
describe_instances().

If I only give them the 'Member' role, they can only see the instances
within thier default tenant but they can't create instances.  Also, if
they only have 'Member', I'm able to create instances via horizon
manually.

I'm assuming I'm missing some combination of roles I need to setup to
allow a users to create instances in thier default tenant but not see
other instances in other tenants.