diff options
| author | Yunhong, Jiang <yunhong.jiang@intel.com> | 2012-11-15 14:19:57 +0800 |
|---|---|---|
| committer | Yunhong, Jiang <yunhong.jiang@intel.com> | 2012-11-20 21:48:58 +0800 |
| commit | 3ba1a653d755e2472b23e45f0a698f188fdb18cc (patch) | |
| tree | c36b516d436f8a6d4d0fed1ade3a7dd71cd4604b /nova/api | |
| parent | 98032e804aa442e1aad17723cab2ed163ee0c810 (diff) | |
Change all tenants servers listing as policy-based
Currently when list servers from all tenants (i.e. --all-tenants is set as 1
when "nova list"), privilege is required.
However, computer pollster in ceilometer need to get all instances from
all tenants in one host. Granting admin privilege to the pollster is
not very secure.
All tenants servers list should be policy-based, instead of requiring
admin privelege.
There is one potential backward compatibility. With all_tenants specified,
non-admin accounts will get back owned servers only without this patch,
however it will get policy exception now if policy checking failed. IMHO
the new behaviour makes more sense.
Change-Id: I8f1f064434ab12b6c0cd636f84dfc1b6a9b2fc90
Signed-off-by: Yunhong, Jiang <yunhong.jiang@intel.com>
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/openstack/compute/servers.py | 9 |
1 files changed, 2 insertions, 7 deletions
diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py index 1b758f23f..09b48cadd 100644 --- a/nova/api/openstack/compute/servers.py +++ b/nova/api/openstack/compute/servers.py @@ -520,12 +520,7 @@ class Controller(wsgi.Controller): msg = _("Only administrators may list deleted instances") raise exc.HTTPBadRequest(explanation=msg) - # NOTE(dprince) This prevents computes' get_all() from returning - # instances from multiple tenants when an admin accounts is used. - # By default non-admin accounts are always limited to project/user - # both here and in the compute API. - if not context.is_admin or (context.is_admin and 'all_tenants' - not in search_opts): + if 'all_tenants' not in search_opts: if context.project_id: search_opts['project_id'] = context.project_id else: @@ -1344,7 +1339,7 @@ class Controller(wsgi.Controller): def _get_server_search_options(self): """Return server search options allowed by non-admin.""" return ('reservation_id', 'name', 'status', 'image', 'flavor', - 'changes-since') + 'changes-since', 'all_tenants') def create_resource(ext_mgr): |