[Openstack-operators] Modification in nova policy file

Salman Toor salman.toor at it.uu.se
Wed May 6 15:14:11 UTC 2015 

So it means I can allow and stop the user(s) to do certain action but not more than that which make sense.

Thanks for your response.

Regards.
Salman.

On 06 May 2015, at 17:12, Joseph Bajin <josephbajin at gmail.com<mailto:josephbajin at gmail.com>> wrote:

The Policy file is not a filtering agent.   It basically just provides ACL type of abilities.

"Can you do this action?  True/False"
"Do you have the right permissions to call this action? True/False"

If you wanted to pull back just the instances that the user owns, then you would actually have to write some code that would call that particular filtering action.



On Tue, May 5, 2015 at 11:01 AM, Salman Toor <salman.toor at it.uu.se<mailto:salman.toor at it.uu.se>> wrote:
Hi,


I am trying to setup the policies for nova. Can you please have a look if thats correct?


nova/policy.json
————————————————————————————————
"context_is_admin":  "role:admin",
"admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
"owner":  "user_id:%(user_id)s",
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"default": "rule:admin_or_owner”,

"compute:get_all": “rule:admin_or_user",
————————————————————————————————

I want users to only see there own instances, not the instances of all the users in the same tenant.

I have restarted the nova-api service on controller, but no effect. I have noticed that if I put “rule:context_is_admin”  in “compute:get_all" than except “admin" no one can see anything so system is reading the file correctly.

Important:

1 - I haven’t changed the  /etc/openstack-dashboard/nova_policy.json

2 - I have only used the command line client tool to confirm the behaviour.

I am running Juno release.

Please point to some document that discuss all the policy parameters.

Thanks in advance.

/Salman

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150506/408395d9/attachment.html>

More information about the OpenStack-operators mailing list