<div dir="ltr"><div><div><div><div><div>Hello,<br><br></div>According to this Nova-spec of Newton release [1], user_id:%(user_id)s syntax should work to constrain some operations to user_id
instead of project_id. Like deleting and rebuilding VMs.<br><br></div>But it is not working, users within the same project can delete, rebuild......the VMs of each other. i added these rules in /etc/nova/policy.json (i used devstack stable/newton branch):<br><br>    "admin_required": "role:admin or is_admin:1",<br>    "owner" : "user_id:%(user_id)s",<br>    "admin_or_owner": "rule:admin_required or rule:owner",<br>    "compute:delete": "rule:admin_or_owner",<br>    "compute:resize": "rule:admin_or_owner",<br>    "compute:rebuild": "rule:admin_or_owner",<br>    "compute:reboot": "rule:admin_or_owner",<br>    "compute:start": "rule:admin_or_owner",<br>    "compute:stop": "rule:admin_or_owner"<br><br><br></div>Can you please point out what i am missing ?<br><br></div>Thank you,<br></div>Hamza<br><div><div><div><br><br>[1] <a href="https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html">https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html</a><br></div></div></div></div>