<p>Clear as crystal. Thanks a lot Lorin! i didnt see this reflected on the docs.</p>
<p>Best<br>
Lean</p>
<div class="gmail_quote">On May 12, 2012 8:45 AM, "Lorin Hochstein" <<a href="mailto:lorin@nimbisservices.com">lorin@nimbisservices.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div>Leandro:</div><br><div><div>On May 10, 2012, at 10:58 AM, Leandro Reox wrote:</div><br><blockquote type="cite">Hi all, <br><br>I was wondering if is there any way to create private and global endpoints in Keystone essex final, what for ? <br>
<br>I have users defined for specific applications, for example i want that the "images" user, just to have access to the SWIFT endpoint, but no to nova, and etc<div>
<br></div><div>In previous versions of Keystone, you can define "is_global" attribute for an endpoint, or create a direct relationship between a tenant and an endpoint if your endpoint was previously defined as non global. <br>

<br>Is there any way to do this on the new Essex Final Keystone ? If not, how do i avoid the swift users to create instances on nova?</div><div><br></div></blockquote><div><br></div></div><div>The /etc/$APP/policy.json  controls what users are allowed to do for $APP. For example, /etc/nova/policy.json controls this for nova, /etc/glance/policy.json controls glance. (I think swift uses a different scheme).</div>
<div><br></div><div>If you want to restrict users from doing things in nova, you need to create a role in keystone and then modify /etc/nova/policy.json so that this role is required for nova operations. </div><div><br></div>
<div>For example, you could create a role called "novauser", and then  /etc/nova/policy.json to require that role for every operation. I think it would look like this (haven't tried this myself):</div><div><br>
</div><div><div>{</div><div>    "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],</div><div>    "default": [["rule:admin_or_owner"]],</div><div><br></div>
<div><br></div><div>    "compute:create": ["role":"novauser"],</div><div>    "compute:create:attach_network": ["role":"novauser"],</div><div>    "compute:create:attach_volume": ["role":"novauser"],</div>
<div>    "compute:get_all": ["role":"novauser"],</div><div><br></div><div><br></div><div>    "admin_api": [["role:admin"]],</div><div>    "compute_extension:accounts": [["rule:admin_api"]],</div>
<div>    "compute_extension:admin_actions": [["rule:admin_api"]],</div><div>    "compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],</div><div>    "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],</div>
<div>    "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],</div><div>    "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],</div><div>    "compute_extension:admin_actions:lock": [["rule:admin_api"]],</div>
<div>    "compute_extension:admin_actions:unlock": [["rule:admin_api"]],</div><div>    "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],</div><div>    "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],</div>
<div>    "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],</div><div>    "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],</div><div>    "compute_extension:admin_actions:migrate": [["rule:admin_api"]],</div>
<div>    "compute_extension:aggregates": [["rule:admin_api"]],</div><div>    "compute_extension:certificates": ["role":"novauser"],</div><div>    "compute_extension:cloudpipe": [["rule:admin_api"]],</div>
<div>    "compute_extension:console_output": ["role":"novauser"],</div><div>    "compute_extension:consoles": ["role":"novauser"],</div><div>    "compute_extension:createserverext": ["role":"novauser"],</div>
<div>    "compute_extension:deferred_delete": ["role":"novauser"],</div><div>    "compute_extension:disk_config": ["role":"novauser"],</div><div>    "compute_extension:extended_server_attributes": [["rule:admin_api"]],</div>
<div>    "compute_extension:extended_status": ["role":"novauser"],</div><div>    "compute_extension:flavorextradata": ["role":"novauser"],</div><div>    "compute_extension:flavorextraspecs": ["role":"novauser"],</div>
<div>    "compute_extension:flavormanage": [["rule:admin_api"]],</div><div>    "compute_extension:floating_ip_dns": ["role":"novauser"],</div><div>    "compute_extension:floating_ip_pools": ["role":"novauser"],</div>
<div>    "compute_extension:floating_ips": ["role":"novauser"],</div><div>    "compute_extension:hosts": [["rule:admin_api"]],</div><div>    "compute_extension:keypairs": ["role":"novauser"],</div>
<div>    "compute_extension:multinic": ["role":"novauser"],</div><div>    "compute_extension:networks": [["rule:admin_api"]],</div><div>    "compute_extension:quotas": ["role":"novauser"],</div>
<div>    "compute_extension:rescue": ["role":"novauser"],</div><div>    "compute_extension:security_groups": ["role":"novauser"],</div><div>    "compute_extension:server_action_list": [["rule:admin_api"]],</div>
<div>    "compute_extension:server_diagnostics": [["rule:admin_api"]],</div><div>    "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],</div><div>    "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],</div>
<div>    "compute_extension:users": [["rule:admin_api"]],</div><div>    "compute_extension:virtual_interfaces": ["role":"novauser"],</div><div>    "compute_extension:virtual_storage_arrays": ["role":"novauser"],</div>
<div>    "compute_extension:volumes": ["role":"novauser"],</div><div>    "compute_extension:volumetypes": ["role":"novauser"],</div><div><br></div><div><br></div>
<div>    "volume:create": ["role":"novauser"],</div><div>    "volume:get_all": ["role":"novauser"],</div><div>    "volume:get_volume_metadata": ["role":"novauser"],</div>
<div>    "volume:get_snapshot": ["role":"novauser"],</div><div>    "volume:get_all_snapshots": ["role":"novauser"],</div><div><br></div><div><br></div><div>    "network:get_all_networks": ["role":"novauser"],</div>
<div>    "network:get_network": ["role":"novauser"],</div><div>    "network:delete_network": ["role":"novauser"],</div><div>    "network:disassociate_network": ["role":"novauser"],</div>
<div>    "network:get_vifs_by_instance": ["role":"novauser"],</div><div>    "network:allocate_for_instance": ["role":"novauser"],</div><div>    "network:deallocate_for_instance": ["role":"novauser"],</div>
<div>    "network:validate_networks": ["role":"novauser"],</div><div>    "network:get_instance_uuids_by_ip_filter": ["role":"novauser"],</div><div><br></div><div>
    "network:get_floating_ip": ["role":"novauser"],</div><div>    "network:get_floating_ip_pools": ["role":"novauser"],</div><div>    "network:get_floating_ip_by_address": ["role":"novauser"],</div>
<div>    "network:get_floating_ips_by_project": ["role":"novauser"],</div><div>    "network:get_floating_ips_by_fixed_address": ["role":"novauser"],</div><div>    "network:allocate_floating_ip": ["role":"novauser"],</div>
<div>    "network:deallocate_floating_ip": ["role":"novauser"],</div><div>    "network:associate_floating_ip": ["role":"novauser"],</div><div>    "network:disassociate_floating_ip": ["role":"novauser"],</div>
<div><br></div><div>    "network:get_fixed_ip": ["role":"novauser"],</div><div>    "network:add_fixed_ip_to_instance": ["role":"novauser"],</div><div>    "network:remove_fixed_ip_from_instance": ["role":"novauser"],</div>
<div>    "network:add_network_to_project": ["role":"novauser"],</div><div>    "network:get_instance_nw_info": ["role":"novauser"],</div><div><br></div><div>    "network:get_dns_domains": ["role":"novauser"],</div>
<div>    "network:add_dns_entry": ["role":"novauser"],</div><div>    "network:modify_dns_entry": ["role":"novauser"],</div><div>    "network:delete_dns_entry": ["role":"novauser"],</div>
<div>    "network:get_dns_entries_by_address": ["role":"novauser"],</div><div>    "network:get_dns_entries_by_name": ["role":"novauser"],</div><div>    "network:create_private_dns_domain": ["role":"novauser"],</div>
<div>    "network:create_public_dns_domain": ["role":"novauser"],</div><div>    "network:delete_dns_domain": ["role":"novauser"]</div><div>}</div></div><div><br>
</div><div><br></div><div><div><div style="word-wrap:break-word"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<div>Take care,</div><div><br></div><div>Lorin</div><div>--</div><div>Lorin Hochstein</div><div>Lead Architect - Cloud Services</div><div>Nimbis Services, Inc.</div><div><a href="https://www.nimbisservices.com/" target="_blank">www.nimbisservices.com</a></div>
<div><br></div></div></span><br></div><br><br></div></div></div></blockquote></div>