Ask Your Question
1

Non-admin users creating private flavors

asked 2014-07-16 05:15:18 -0500

gipmon gravatar image

Hello,

I am currently developing a feature to non-admin users can create and modify flavors. I made it possible with some changes:

  1. add in openstack_dashboad/dashboards/project the flavor folder from admin dashboard
  2. change all the admin setup for project
  3. add in the dashboard.py the 'flavors'
  4. changed in keystone.py,line 254, the manager = VERSIONS.get_project_manager(request, admin=True) to: manager = VERSIONS.get_project_manager(request, admin=False)
  5. Changed the nova_policy.json: http://paste.openstack.org/show/86623/ including this line 115:

.

 "compute_extension:flavor_access:addTenantAccess": "rule:admin_api",

to:

"compute_extension:flavor_access:addTenantAccess": "",

and the non-admin user can create and modify the flavor but can't add tenants to the flavor. When I try to do this the flavor becomes private but no tenants were added.

Request and response:

REQ: curl -i 'http://192.168.0.11:8774/v2/4ee6760e38734fdbae2d9dec8fab0bee/flavors/d7c4ea68-6e67-4278-885e-f92bdca45fa1/action' -X POST -H "X-Auth-Project-Id: 4ee6760e38734fdbae2d9dec8fab0bee" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: 05f2dd65004193c8782158bcef18f1a5" -d '{"addTenantAccess": {"tenant": "4ee6760e38734fdbae2d9dec8fab0bee"}}'

New session created for: (http://192.168.0.11:8774) RESP: [403] {'date': 'Tue, 15 Jul 2014 21:09:58 GMT', 'content-length': '78', 'content-type': 'application/json; charset=UTF-8', 'x-compute-request-id': 'req-e8680aa7-87af-4e0d-8fe2-bef0acc1b311'} RESP BODY: {"forbidden": {"message": "User does not have admin privileges", "code": 403}}

I tried to change the line 163 in /nova/api/openstack/compute/contrib/flavor_access.py:

authorize(context, action="addTenantAccess")

to:

#authorize(context, action="addTenantAccess")

but still showing the same error.

So there is an hard coded validation to admin users in nova or novaclient?

Thank you!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-07-16 05:56:58 -0500

foexle gravatar image

Hi,

do you have tried to use instead of "" the correct rule ? My experience shows that sometime the default rule will ignore by setting "". So create a rule or use the default one and fill the policy.

"compute_extension:flavor_access:addTenantAccess": "rule:default"

Cheers Heiko

edit flag offensive delete link more

Comments

Hello Heiko!

I made the change of the rule in the /nova/policy.json and in horizon, nova_policy.json and stills showing the same error.

http://paste.openstack.org/show/86702/

Thank you!

gipmon gravatar imagegipmon ( 2014-07-16 06:19:42 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-07-16 05:14:07 -0500

Seen: 926 times

Last updated: Jul 16 '14