Policy ignored for get_all and get volume(s)
Bug #1522264 reported by
Sam Morrison
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Trying to allow a certain role to be able to do the either a "cinder list --all-tenants" or a "cinder show <any UUID>" and the policy is ignored.
Looked in the code and it's hard coded at the DB layer to filter out volumes that aren't owned by the context user.
Nova had this issue to and it would be great to fix this in cinder.
Changed in cinder: | |
status: | New → Confirmed |
assignee: | nobody → Yuriy Nesenenko (ynesenenko) |
Changed in cinder: | |
assignee: | nobody → Mitsuhiro Tanino (mitsuhiro-tanino) |
To post a comment you must log in.
To allow a certain role to be able to do either 'cinder list --all-tenants' or 'cinder show <UUID>' we can configure policy.json policy. json "context_is_admin": "role:admin or role:new-role" to grant admin context which allow to do 'cinder list --all-tenants'
We can create corresponding "new-role" role in keystone and add it to file /etc/cinder/