non admin project policy.json declarations ignored for most instance actions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
I'm trying to allow a certain role to do certain things to any projects instances through policy.json and it isn't working as expected.
I've set the following policies to allow my role to do a "nova show" but with no luck, the same is with any other instance action like start, reboot etc.
"compute:get": "rule:default_
"compute:get_all": "rule:default_
"compute:
"os_compute_
"os_compute_
"os_compute_
"os_compute_
"os_compute_
Upon looking in the code I see that in the DB layer the instance_get function is hard coded to filter by project if the context isn't admin see: HEAD (as of writing)
If I remove this project=True flag then everything works as expected.
Nova api otherwise just returns a 404
tags: | added: api |
Changed in nova: | |
assignee: | nobody → Varsha (varsha-jayaraj94) |
Changed in nova: | |
status: | Confirmed → In Progress |
Yes, this is definitely the current state of project admin still being somewhat special in code. I think once we get all the policy up into code, we can look into this one in Ocata.