Does nova (without keystone) provide any isolation across users' instances? In our deployment (which is based on code merged from trunk from about two weeks ago), we've found that one user can see another user's instances, terminate another user's instances, etc. Keypairs do seem to be isolated, though.
On the other hand, I tried out devstack, which uses keystone and the demo user wasn't able to see instances launched by the admin user. Is this isolation a feature of keystone, or is this some issue in our setup (e.g., set up users incorrectly, wrong flag somewhere). Here's what we saw when testing this out: Root: # nova-manage user create test_user1 # nova-manage project create test_user1 admin # nova-manage project add test_user1 test_user1 # nova-manage project environment test_user1 test_user1 novarc-user1 # nova-manage user create test_user2 # nova-manage project create test_user2 admin # nova-manage project add test_user2 test_user2 # nova-manage project environment test_user2 test_user2 novarc-user2 test_user1: test_user1@cluster ~ $ source novarc-user1 test_user1@cluster ~ $ euca-describe-keypairs KEYPAIR user1 d0:56:69:08:9b:60:e3:82:b2:7d:ee:e6:57:84:dd:65 test_user1@cluster ~ $ euca-run-instances -t m1.tiny -k user1 ami-0000000b RESERVATION r-4a722y62 test_user1 default INSTANCE i-00000009 ami-0000000b pending user1 (test_user1, gpu1) 1 m1.tiny 2011-10-18T15:09:54Z nova ami-00000000 ami-00000000 test_user1@cluster ~ $ euca-describe-instances RESERVATION r-4a722y62 test_user1 default INSTANCE i-00000009 ami-0000000b 10.99.1.3 10.99.1.3 pending user1 (test_user1, gpu1) 1 m1.tiny 2011-10-18T15:09:54Z nova ami-00000000 ami-00000000 test_user2: test_user2@cluster ~ $ source novarc-user2 test_user2@cluster ~ $ euca-describe-keypairs test_user2@cluster ~ $ euca-describe-instances RESERVATION r-4a722y62 test_user1 default INSTANCE i-00000009 ami-0000000b 10.99.1.3 10.99.1.3 running user1 (test_user1, gpu1) 1 m1.tiny 2011-10-18T15:09:54Z nova ami-00000000 ami-00000000 Lorin -- Lorin Hochstein, Computer Scientist USC Information Sciences Institute 703.812.3710 http://www.east.isi.edu/~lorin
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
