Comment 1 for bug 1014812

I see your point (on a api+compute node you should not allow nova-api to run chown as root), however this is not rootwrap fault.

Rootwrap controls how you can escalate from the nova user to the root user. If on that host, you allow the nova user to run chown as root (for nova-compute) then nova-api will be able to do it just the same. If you run the two services on the same machine under the same user, they will share their escalation rights. It's not a question of which rules to load (you can't trust the invocator to specify that !).

The only way to give different escalation rights to two services on the same machine is to run them under different users. So nova-api would run under the nova-api user, and nova-compute would run under the nova-compute user, and your sudoers would only let sudo nova-rootwrap to be called by nova-compute, pointing to the directory that contains only compute.ini filters. So the rootwrap framework fully supports it, it's just that packaging doesn't set it up that way.

I'm not sure the complexity that would introduce is actually worth the trade-off, but that's a distribution choice. You should also check that Nova actually supports running under separate users right now. In all cases, nova-rootwrap fully supports it: the packaging just needs to make it so.

Closing as Invalid, but feel free to reopen if you think I'm wrong or if my explanation is not clear.