Open Stack

Hi,


I am trying to setup the policies for nova. Can you please have a look if thats correct?


nova/policy.json
————————————————————————————————
"context_is_admin":  "role:admin",
"admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
"owner":  "user_id:%(user_id)s",
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"default": "rule:admin_or_owner”,

"compute:get_all": “rule:admin_or_user",
————————————————————————————————

I want users to only see there own instances, not the instances of all the users in the same tenant.

I have restarted the nova-api service on controller, but no effect. I have noticed that if I put “rule:context_is_admin”  in “compute:get_all" than except “admin" no one can see anything so system is reading the file correctly.

Important:

1 - I haven’t changed the  /etc/openstack-dashboard/nova_policy.json

2 - I have only used the command line client tool to confirm the behaviour.

I am running Juno release.

Please point to some document that discuss all the policy parameters.

Thanks in advance.

/Salman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150505/66105f5f/attachment.html>