[Openstack-operators] Nova 2.1 and user permissions in the policy file

Tim Bell Tim.Bell at cern.ch
Mon May 23 15:56:25 UTC 2016

On 23/05/16 17:02, "Sean Dague" <sean at dague.net> wrote:

>On 05/23/2016 10:24 AM, Tim Bell wrote:
>> Quick warning for those who are dependent on the "user_id:%(user_id)s"
>> syntax for limiting actions by user. According to 
>> https://bugs.launchpad.net/nova/+bug/1539351, this behavior was
>> apparently not intended according to the bug report feedback. The
>> behavior has changed from v2 to v2.1 and the old syntax no longer works.
>Well, the behavior changes with the backend code base. By mitaka the
>default backend code for both is the same. And the legacy code base is
>about to be removed.
>This feature (policy enforcement by user_id) was 100% untested, which is
>why it never ended up in the new API stack. Being untested setting
>owner: 'user_id: %(user_id)s' might have some really unexpected results
>because not everything has a user_id.

There are several hints given in the documentation regarding this sort of feature. 

Examples are such as http://docs.openstack.org/developer/oslo.policy/api.html and http://docs.openstack.org/mitaka/config-reference/policy-json-file.html#examples

>> There can be security implications also so I’d recommend those using
>> this current v2 feature to review the bug to understand the potential
>> impacts as clouds enable v2.1.
>While I understand from the bug report what your use case is now, I'm
>kind of wondering what the shared resources / actions of these 150
>people are in this project. Are they all in the same project for other

The resource pool (i.e. quota) is shared between all of the developers.
A smaller team is responsible for maintaining the image set for the project
and also providing 2nd line support (such as reboot/problem diagnosis…).

I do not know the EMBL-EBI use case or the EGI Federated Cloud scenarios
which are also mentioned in the review.


>	-Sean
>Sean Dague
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org

More information about the OpenStack-operators mailing list