
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


So it means I can allow and stop the user(s) to do certain action but not more than that which make sense.<br class="">


<div class=""><br class="">


</div>


<div class="">Thanks for your response. </div>


<div class=""><br class="">


</div>


<div class="">Regards.</div>


<div class="">Salman. 


<div class=""><br class="">


<div>


<blockquote type="cite" class="">


<div class="">On 06 May 2015, at 17:12, Joseph Bajin <<a href="mailto:josephbajin@gmail.com" class="">josephbajin@gmail.com</a>> wrote:</div>


<br class="Apple-interchange-newline">


<div class="">


<div dir="ltr" class="">The Policy file is not a filtering agent.   It basically just provides ACL type of abilities.  


<div class=""><br class="">


</div>


<div class="">"Can you do this action?  True/False"</div>


<div class="">"Do you have the right permissions to call this action? True/False"</div>


<div class=""><br class="">


</div>


<div class="">If you wanted to pull back just the instances that the user owns, then you would actually have to write some code that would call that particular filtering action.  </div>


<div class=""><br class="">


</div>


<div class=""><br class="">


</div>


</div>


<div class="gmail_extra"><br class="">


<div class="gmail_quote">On Tue, May 5, 2015 at 11:01 AM, Salman Toor <span dir="ltr" class="">


<<a href="mailto:salman.toor@it.uu.se" target="_blank" class="">salman.toor@it.uu.se</a>></span> wrote:<br class="">


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div style="word-wrap:break-word" class="">


<div style="margin:0px" class="">Hi, </div>


<div style="margin:0px" class=""><br class="">


</div>


<div style="margin:0px" class=""><br class="">


</div>


<div style="margin:0px" class="">I am trying to setup the policies for nova. Can you please have a look if thats correct?  </div>


<div style="margin:0px" class=""><br class="">


</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class="">


</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">nova/policy.json</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class=""><span style="font-family:Helvetica;font-size:12px" class="">————————————————————————————————</span></div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">"context_is_admin":  "role:admin",</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">"admin_or_owner":  "is_admin:True or project_id:%(project_id)s",</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">"owner":  "user_id:%(user_id)s",</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">"admin_or_user": "is_admin:True or user_id:%(user_id)s",</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">"default": "rule:admin_or_owner”,</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class=""><br class="">


</div>


<div style="margin:0px;font-size:11px;font-family:Menlo" class="">


<div style="margin:0px" class="">"compute:get_all": “rule:admin_or_user",</div>


</div>


<div class="">————————————————————————————————</div>


<div class=""><br class="">


</div>


<div class="">I want users to only see there own instances, not the instances of all the users in the same tenant. </div>


<div class=""><br class="">


</div>


<div class="">I have restarted the nova-api service on controller, but no effect. I have noticed that if I put “rule:<span style="font-family:Menlo;font-size:11px" class="">context_is_admin</span>”  in “<span style="font-family:Menlo;font-size:11px" class="">compute:get_all</span>"


 than except “admin" no one can see anything so system is reading the file correctly. </div>


<div class=""><br class="">


</div>


<div class="">Important: </div>


<div class=""><br class="">


</div>


<div class="">1 - I haven’t changed the <span style="font-family:Menlo;font-size:11px" class=""> </span><span style="font-family:Menlo;font-size:11px" class="">/etc/openstack-dashboard/nova_policy.json</span><span style="font-family:Menlo;font-size:11px" class=""> </span></div>


<div class=""><span style="font-family:Menlo;font-size:11px" class=""><br class="">


</span></div>


<div class="">2 - I have only used the command line client tool to confirm the behaviour. </div>


<div class=""><br class="">


</div>


<div class="">I am running Juno release.</div>


<div class=""><br class="">


</div>


<div class="">Please point to some document that discuss all the policy parameters.</div>


<div class=""><br class="">


</div>


<div class="">Thanks in advance. </div>


<span class="HOEnZb"><font color="#888888" class="">


<div class=""><br class="">


</div>


<div class="">/Salman</div>


</font></span></div>


<br class="">


_______________________________________________<br class="">


OpenStack-operators mailing list<br class="">


<a href="mailto:OpenStack-operators@lists.openstack.org" class="">OpenStack-operators@lists.openstack.org</a><br class="">


<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank" class="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="">


<br class="">


</blockquote>


</div>


<br class="">


</div>


</div>


</blockquote>


</div>


<br class="">


</div>


</div>


</body>


</html>