Comment 1 for bug 972583

ugh, nasty little bug. We were using project checking in the db as an added level of access control, but it does lead to problems when we are trying to do administrative commands across tenants.

Can you see if the following change fixes the issue?

diff --git a/nova/api/openstack/compute/contrib/cloudpipe.py b/nova/api/openstack/compute/contrib/cloudpipe.py
index b5d8747..115dc70 100644
--- a/nova/api/openstack/compute/contrib/cloudpipe.py
+++ b/nova/api/openstack/compute/contrib/cloudpipe.py
@@ -85,6 +85,7 @@ class CloudpipeController(object):

     def _vpn_dict(self, context, project_id, instance):
         elevated = context.elevated()
+ elevated.project_id = project_id
         rv = {'project_id': project_id}
         if not instance:
             rv['state'] = 'pending'

This fakes the context to be for the project. should only need to make the change on the api host.