Ask Your Question
2

nova list shows all VMs from all users in tenant

asked 2013-11-17 02:53:03 -0500

Izhar gravatar image

updated 2014-01-22 15:13:05 -0500

Evgeny gravatar image

nova list --os-username test --os-tenant-name tenant1 --os-password testing list

shows all vms in tenant1 created by any user.

The same happens for nova delete. Any user can list or delete any other user's VM's in the same tenant without admin privileges. I have double checked the user's roles in keystone.

+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | test@test.com | | enabled | True | | id | 4b8c55cb5ab6434daa13c48abdc3146d | | name | test | | tenantId | f12c250eb01040479440efb481d28947 | +----------+----------------------------------+

keystone user-role-list --user test --tenant tenant1 +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | Member | 4b8c55cb5ab6434daa13c48abdc3146d | f12c250eb01040479440efb481d28947 | +----------------------------------+----------+----------------------------------+----------------------------------+

Shouldnt it be that only admins are allowed to list and delete any VMs. The regular users should be allowed to list and delete only the VMs that they own. User A in tenant1 should not be allowed to list or delete VMs created by user B.

edit retag flag offensive close merge delete

Comments

Why are not admin members able to list and delete instances from other members ?? Probably because the admin is not part of the tenant1 tenant. You can list all VMs from all tenant using "nova list --all-tenants".

igordcard gravatar imageigordcard ( 2013-11-17 10:17:24 -0500 )edit

Sorry, I had to explain it better. See the edit.

Izhar gravatar imageIzhar ( 2013-11-17 12:20:18 -0500 )edit

ok, I now know that I have to edit nova's policy.json file. How do i create a rule that only the admin/owner of the VM can list/edit his VMs?

Izhar gravatar imageIzhar ( 2013-11-17 15:02:03 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2013-11-18 06:13:26 -0500

Izhar gravatar image
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-11-17 02:53:03 -0500

Seen: 8,110 times

Last updated: Nov 18 '13