Excerpts from Sławek Kapłoński's message of 2015-06-11 12:40:36 -0700: > Hello, > > I don't think it is possible because in nova/db/sqlalchemy/api.py in function > instance_get_all_by_filters You have something like: > > if not context.is_admin: > # If we're not admin context, add appropriate filter.. > if context.project_id: > filters['project_id'] = context.project_id > else: > filters['user_id'] = context.user_id > > This is from Juno, but in Kilo it is the same. So in fact even if You will > set > proper policy.json rules it will still require admin context to search > instances from different tenants. Maybe I'm wrong and this is in some other > place possible and maybe someone will show me where because I was also > looking > for it last time :) >
Looks like a bug to me. The check should just enforce that there is one of those filters if not context.is_admin. https://launchpad.net/nova/+filebug I'd suggest referencing this mailing list thread. _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
