yahoo-eng-team team mailing list archive

[Sam Morrison <1376098@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

I'm trying to allow a non admin to be able to do a

nova list --all-tenants --tenant XXXXXX

I have set my policy.json file to allow this user who has a role called
monitoring to do this:

   "context_is_admin":  "role:admin",
    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
    "monitoring": "role:monitoring",
    "monitoring_or_default":  "rule:default or role:monitoring",

    "compute:get_all": "rule:monitoring_or_default",
    "compute:get_all_tenants": "rule:admin_api or rule:monitoring",

This allows them to do a nova list --all-tenants.

But if they filter by anything it just returns all and disregards the
filter

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1376098

Title:
  nova list filtering only works when you have the "Admin" role

Status in OpenStack Compute (Nova):
  New

Bug description:
  I'm trying to allow a non admin to be able to do a

  nova list --all-tenants --tenant XXXXXX

  I have set my policy.json file to allow this user who has a role
  called monitoring to do this:

     "context_is_admin":  "role:admin",
      "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
      "default": "rule:admin_or_owner",
      "monitoring": "role:monitoring",
      "monitoring_or_default":  "rule:default or role:monitoring",

      "compute:get_all": "rule:monitoring_or_default",
      "compute:get_all_tenants": "rule:admin_api or rule:monitoring",

  This allows them to do a nova list --all-tenants.

  But if they filter by anything it just returns all and disregards the
  filter

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1376098/+subscriptions