Non-admin users creating private flavors

asked 2014-07-16 05:15:18 -0600

gipmon gravatar image


I am currently developing a feature to non-admin users can create and modify flavors. I made it possible with some changes:

  1. add in openstack_dashboad/dashboards/project the flavor folder from admin dashboard
  2. change all the admin setup for project
  3. add in the the 'flavors'
  4. changed in,line 254, the manager = VERSIONS.get_project_manager(request, admin=True) to: manager = VERSIONS.get_project_manager(request, admin=False)
  5. Changed the nova_policy.json: including this line 115:


 "compute_extension:flavor_access:addTenantAccess": "rule:admin_api",


"compute_extension:flavor_access:addTenantAccess": "",

and the non-admin user can create and modify the flavor but can't add tenants to the flavor. When I try to do this the flavor becomes private but no tenants were added.

Request and response:

REQ: curl -i '' -X POST -H "X-Auth-Project-Id: 4ee6760e38734fdbae2d9dec8fab0bee" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: 05f2dd65004193c8782158bcef18f1a5" -d '{"addTenantAccess": {"tenant": "4ee6760e38734fdbae2d9dec8fab0bee"}}'

New session created for: ( RESP: [403] {'date': 'Tue, 15 Jul 2014 21:09:58 GMT', 'content-length': '78', 'content-type': 'application/json; charset=UTF-8', 'x-compute-request-id': 'req-e8680aa7-87af-4e0d-8fe2-bef0acc1b311'} RESP BODY: {"forbidden": {"message": "User does not have admin privileges", "code": 403}}

I tried to change the line 163 in /nova/api/openstack/compute/contrib/

authorize(context, action="addTenantAccess")


#authorize(context, action="addTenantAccess")

but still showing the same error.

So there is an hard coded validation to admin users in nova or novaclient?

Thank you!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-07-16 05:56:58 -0600

foexle gravatar image


do you have tried to use instead of "" the correct rule ? My experience shows that sometime the default rule will ignore by setting "". So create a rule or use the default one and fill the policy.

"compute_extension:flavor_access:addTenantAccess": "rule:default"

Cheers Heiko

edit flag offensive delete link more


Hello Heiko!

I made the change of the rule in the /nova/policy.json and in horizon, nova_policy.json and stills showing the same error.

Thank you!

gipmon gravatar imagegipmon ( 2014-07-16 06:19:42 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-07-16 05:14:07 -0600

Seen: 1,196 times

Last updated: Jul 16 '14