Hi Everyone,

I am attempting to restrict users from seeing other users' instances within a project. I attempted the following modification of nova/policy.json:

"admin_or_owner": "role:admin or is_admin:True or user_id:%(user_id)s",
...
"compute:get_all": "rule:admin_or_owner",

I know the policy is being applied, because if I make it only "role:admin or is_admin:True", then it allows only admins to view the instance list.

Even though instances are associated with a user, is it possible the list of instances itself has ownership which is being checked (and that ownership is everyone in the project)?

Any suggestions or insight into this would be greatly appreciated!