Policy ignored for get_all and get volume(s)

Bug #1522264 reported by Sam Morrison
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Confirmed
Undecided
Unassigned

Bug Description

Trying to allow a certain role to be able to do the either a "cinder list --all-tenants" or a "cinder show <any UUID>" and the policy is ignored.

Looked in the code and it's hard coded at the DB layer to filter out volumes that aren't owned by the context user.

Nova had this issue to and it would be great to fix this in cinder.

Revision history for this message
Yuriy Nesenenko (ynesenenko) wrote :

To allow a certain role to be able to do either 'cinder list --all-tenants' or 'cinder show <UUID>' we can configure policy.json
We can create corresponding "new-role" role in keystone and add it to file /etc/cinder/policy.json "context_is_admin": "role:admin or role:new-role" to grant admin context which allow to do 'cinder list --all-tenants'

Revision history for this message
Sam Morrison (sorrison) wrote :

This is not acceptable. I want more finer grain access. Eg a read only role. Not another global admin.

Changed in cinder:
status: New → Confirmed
assignee: nobody → Yuriy Nesenenko (ynesenenko)
Revision history for this message
Yuriy Nesenenko (ynesenenko) wrote :

Unfortunately only admin user can get a list of roles at default settings in reystoneclient.

Revision history for this message
Yuriy Nesenenko (ynesenenko) wrote :

Unfortunately only admin user can get a list of roles at default settings in keystoneclient. It's hard to allow a certain role to be able to do 'cinder list --all-tenants' if the user isnot admin.

Changed in cinder:
assignee: Yuriy Nesenenko (ynesenenko) → nobody
Changed in cinder:
assignee: nobody → Mitsuhiro Tanino (mitsuhiro-tanino)
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote : Owner Expired

Unassigning due to no activity.

Changed in cinder:
assignee: Mitsuhiro Tanino (mitsuhiro-tanino) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers