Public bug reported: I'm trying to allow a certain role to do certain things to any projects instances through policy.json and it isn't working as expected.
I've set the following policies to allow my role to do a "nova show" but with no luck, the same is with any other instance action like start, reboot etc. "compute:get": "rule:default_or_monitoring", "compute:get_all": "rule:default_or_monitoring", "compute:get_all_tenants": "rule:admin_or_monitoring", "os_compute_api:servers:detail:get_all_tenants": "rule:admin_or_monitoring", "os_compute_api:servers:index:get_all_tenants": "rule:admin_or_monitoring", "os_compute_api:servers:detail": "rule:default_or_monitoring", "os_compute_api:servers:index": "rule:default_or_monitoring", "os_compute_api:servers:show": "rule:default_or_monitoring", Upon looking in the code I see that in the DB layer the instance_get function is hard coded to filter by project if the context isn't admin see: HEAD (as of writing) https://github.com/openstack/nova/blob/d0905df10a48212950c0854597a2df923e6ddd0c/nova/db/sqlalchemy/api.py#L1885 If I remove this project=True flag then everything works as expected. Nova api otherwise just returns a 404 ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1607602 Title: policy.json ignored for most instance actions Status in OpenStack Compute (nova): New Bug description: I'm trying to allow a certain role to do certain things to any projects instances through policy.json and it isn't working as expected. I've set the following policies to allow my role to do a "nova show" but with no luck, the same is with any other instance action like start, reboot etc. "compute:get": "rule:default_or_monitoring", "compute:get_all": "rule:default_or_monitoring", "compute:get_all_tenants": "rule:admin_or_monitoring", "os_compute_api:servers:detail:get_all_tenants": "rule:admin_or_monitoring", "os_compute_api:servers:index:get_all_tenants": "rule:admin_or_monitoring", "os_compute_api:servers:detail": "rule:default_or_monitoring", "os_compute_api:servers:index": "rule:default_or_monitoring", "os_compute_api:servers:show": "rule:default_or_monitoring", Upon looking in the code I see that in the DB layer the instance_get function is hard coded to filter by project if the context isn't admin see: HEAD (as of writing) https://github.com/openstack/nova/blob/d0905df10a48212950c0854597a2df923e6ddd0c/nova/db/sqlalchemy/api.py#L1885 If I remove this project=True flag then everything works as expected. Nova api otherwise just returns a 404 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1607602/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
