Last modified: 2014-07-11 22:20:01 UTC
I already had permissions to see the instance existed, so this doesn't do anything to increase security. However, it also doesn't give the real reason I couldn't configure the instance, which is confusing.
Testing with bastion (since I'm not a projectadmin, and it has instances), I can't see the list at https://wikitech.wikimedia.org/wiki/Special:NovaInstance (it appears blank). However, I can at https://wikitech.wikimedia.org/wiki/Nova_Resource:Bastion under "Instances for this project". The list is SemanticMediaWiki-generated, I think, since it's not in the wikitext.
I've investigated this some -- it turns out that with the default nova policy, if you aren't a project admin you're not allowed to query an instance at all. So, when it tries to look up what project the instance is in, it can't find the instance, hence, no such resource. I'm going to see if its possible to adjust the nova policy so that we can see but not change instances. It's not entirely obvious how to do this though.