yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1376098] Re: nova list filtering only works when you have the "Admin" role

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Sat, 20 Feb 2016 15:02:40 -0000
Reply-to: Bug 1376098 <1376098@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

We've pulled most of the is_admin out of the db layer. I think the
policy should be good enough to do this now. If not, please reopen.

** Changed in: nova
       Status: Confirmed => Fix Released

** Changed in: nova
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1376098

Title:
  nova list filtering only works when you have the "Admin" role

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  I'm trying to allow a non admin to be able to do a

  nova list --all-tenants --tenant XXXXXX

  I have set my policy.json file to allow this user who has a role
  called monitoring to do this:

     "context_is_admin":  "role:admin",
      "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
      "default": "rule:admin_or_owner",
      "monitoring": "role:monitoring",
      "monitoring_or_default":  "rule:default or role:monitoring",

      "compute:get_all": "rule:monitoring_or_default",
      "compute:get_all_tenants": "rule:admin_api or rule:monitoring",

  This allows them to do a nova list --all-tenants.

  But if they filter by anything it just returns all and disregards the
  filter

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1376098/+subscriptions

References

[Bug 1376098] [NEW] nova list filtering only works when you have the "Admin" role
From: Sam Morrison, 2014-10-01