[Openstack-operators] Nova 2.1 and user permissions in the policy file

Sean Dague sean at dague.net
Mon May 23 15:02:19 UTC 2016


On 05/23/2016 10:24 AM, Tim Bell wrote:
>  
> 
> Quick warning for those who are dependent on the "user_id:%(user_id)s"
> syntax for limiting actions by user. According to 
> https://bugs.launchpad.net/nova/+bug/1539351, this behavior was
> apparently not intended according to the bug report feedback. The
> behavior has changed from v2 to v2.1 and the old syntax no longer works.

Well, the behavior changes with the backend code base. By mitaka the
default backend code for both is the same. And the legacy code base is
about to be removed.

This feature (policy enforcement by user_id) was 100% untested, which is
why it never ended up in the new API stack. Being untested setting
owner: 'user_id: %(user_id)s' might have some really unexpected results
because not everything has a user_id.

> There can be security implications also so I’d recommend those using
> this current v2 feature to review the bug to understand the potential
> impacts as clouds enable v2.1.

While I understand from the bug report what your use case is now, I'm
kind of wondering what the shared resources / actions of these 150
people are in this project. Are they all in the same project for other
reasons?

	-Sean

-- 
Sean Dague
http://dague.net



More information about the OpenStack-operators mailing list