Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. (HTTP 403)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Horizon is making requests to admin-only APIs in the project dashboard:
Error while checking action permissions.
Traceback (most recent call last):
File "/home/
return action.
File "/home/
return self.allowed(
File "/home/
usages = quotas.
File "/home/
value = cache[key] = func(*args, **kwargs)
File "/home/
_get_
File "/home/
request, search_
File "/home/
for s in c.servers.
File "/home/
return self._list(
File "/home/
_resp, body = self.api.
File "/home/
return self._cs_
File "/home/
resp, body = self._time_
File "/home/
resp, body = self.request(url, method, **kwargs)
File "/home/
raise exceptions.
Forbidden: Policy doesn't allow compute:
Looks like this commit is the culprit:
commit f5b77f9a145337c
Author: eric <email address hidden>
Date: Sun Nov 30 07:03:20 2014 -0700
Quotas for users with admin role do not work
The quotas code does not isloate counts to resources within the
current tenant/project. So if a user with the admin role makes
calls for quota items, the admin role will have counts of a global
list of resources. This changes that for the tenant quota call
to fallback to the request.
otherwise specified for the tenant quota api call.
Change-Id: Ib0e6ce7774c4c0
Closes-bug: #1391242
Changed in horizon: | |
status: | New → Confirmed |
We're experiencing this as well.
More interestingly, horizon code seems to be doing a policy check for "compute: get_all_ tenants" , however (our) Nova's policy rejection is on "os_compute_ api:servers: detail: get_all_ tenants" .
That seems like local copy of nova policy file would allow it, but then the nova client hitting nova API policy would reject it.