Bug 1658769 - [OSP 15][RFE] non-admin user should be able to run nova list --host <host> command
Summary: [OSP 15][RFE] non-admin user should be able to run nova list --host <host> c...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 10.0 (Newton)
Hardware: Unspecified
OS: All
Target Milestone: Upstream M3
: 15.0 (Stein)
Assignee: melanie witt
QA Contact: nova-maint
Depends On:
Blocks: 1719984 1733386
TreeView+ depends on / blocked
Reported: 2018-12-12 20:19 UTC by Angela Soni
Modified: 2022-03-13 16:56 UTC (History)
13 users (show)

Fixed In Version: openstack-nova-19.0.0-0.20190322080331.c993d4f.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1719984 1733386 (view as bug list)
Last Closed: 2019-09-21 11:19:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 526558 0 None MERGED Allow ability for non admin users to use all filters on server list. 2020-08-05 14:56:56 UTC
Red Hat Issue Tracker OSP-13831 0 None None None 2022-03-13 16:56:00 UTC
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:19:49 UTC

Description Angela Soni 2018-12-12 20:19:03 UTC
Description of problem:
--host filter is only available for admin only:

https://docs.openstack.org/ocata/cli-reference/nova.html --> nova list --> --host <hostname>
Search servers by hostname to which they are assigned (Admin only).

This is filter is only available for admin.

Version-Release number of selected component (if applicable):

How reproducible:

Every time

Steps to Reproduce:

Actual results:

Expected results:
Non-admin user should be able to filter specific host(s) and not just admin. Customer operations team requires the ability to know what servers are being impacted by things like a nova host-evacuate or nova host-evacuate-live

Additional info:

Comment 2 Matthew Booth 2018-12-13 15:53:00 UTC
Everything related to compute hosts is admin only, as these are cloud internals. We wouldn't consider changing this.

Comment 6 melanie witt 2019-01-24 18:03:47 UTC
Adding a public comment here, for anyone who might happen upon this BZ in searches:

It should already possible for non-admin users to 'nova list --host <hostname>' command, if policy.json is configured appropriately.

In this example, the user is a member of a role: MyRole and the nova policy.json contains at least these lines:

  "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api or role:MyRole"
  "os_compute_api:servers:allow_all_filters": "rule:admin_api or role:MyRole"

Then the command can be run, like this: 'nova list --host <hostname> --all-tenants'

The '--all-tenants' option is needed in order to list servers in a different project than the 'nova list' caller's project.

Comment 10 Matthew Booth 2019-02-22 15:37:15 UTC
The fix has already merged upstream and will be included in OSP15 at some point via rebase. We believe we should be able to backport this to OSP13, but we would not backport to OSP10 at this stage in its lifecycle.

Comment 17 errata-xmlrpc 2019-09-21 11:19:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.