Policy ignored for get_all and get volume(s)
Bug #1522264 reported by
Sam Morrison
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Trying to allow a certain role to be able to do the either a "cinder list --all-tenants" or a "cinder show <any UUID>" and the policy is ignored.
Looked in the code and it's hard coded at the DB layer to filter out volumes that aren't owned by the context user.
Nova had this issue to and it would be great to fix this in cinder.
Revision history for this message
| Yuriy Nesenenko (ynesenenko) wrote | #1 |
Revision history for this message
| Sam Morrison (sorrison) wrote | #2 |
| Changed in cinder: | |
| status: | New → Confirmed |
| assignee: | nobody → Yuriy Nesenenko (ynesenenko) |
Revision history for this message
| Yuriy Nesenenko (ynesenenko) wrote | #3 |
Revision history for this message
| Yuriy Nesenenko (ynesenenko) wrote | #4 |
| Changed in cinder: | |
| assignee: | Yuriy Nesenenko (ynesenenko) → nobody |
| Changed in cinder: | |
| assignee: | nobody → Mitsuhiro Tanino (mitsuhiro-tanino) |
Revision history for this message
| Sean McGinnis (sean-mcginnis) wrote Owner Expired | #5 |
| Changed in cinder: | |
| assignee: | Mitsuhiro Tanino (mitsuhiro-tanino) → nobody |
To post a comment you must log in.
To allow a certain role to be able to do either 'cinder list --all-tenants' or 'cinder show <UUID>' we can configure policy.json
We can create corresponding "new-role" role in keystone and add it to file /etc/cinder/