Comment 3 for bug 1014812

Cool, that all makes sense - it's basically one of the limitations of rootwrap

To be more concrete about how distros would set things up with multiple users, you'd have this in sudoers:

  nova-api ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /only/api/filters.d *
  nova-compute ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /only/compute/filters.d *