<div dir="ltr"><div>Maybe this is relevant with:</div><div><br></div><a href="https://bugs.launchpad.net/nova/+bug/1539351">https://bugs.launchpad.net/nova/+bug/1539351</a><br><div><br></div><div>?</div><div><br></div><div>In our Mitaka installation we had to keep using v2.0 API to be able to use user_id in the policy file ...</div><div><br></div><div>I don't know if there are better solutions ...</div><div><br></div><div>Cheers, Massimo</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-01-15 8:44 GMT+01:00 Hamza Achi <span dir="ltr"><<a href="mailto:h16mara@gmail.com" target="_blank">h16mara@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div>Hello,<br><br></div>According to this Nova-spec of Newton release [1], user_id:%(user_id)s syntax should work to constrain some operations to user_id
instead of project_id. Like deleting and rebuilding VMs.<br><br></div>But it is not working, users within the same project can delete, rebuild......the VMs of each other. i added these rules in /etc/nova/policy.json (i used devstack stable/newton branch):<br><br>    "admin_required": "role:admin or is_admin:1",<br>    "owner" : "user_id:%(user_id)s",<br>    "admin_or_owner": "rule:admin_required or rule:owner",<br>    "compute:delete": "rule:admin_or_owner",<br>    "compute:resize": "rule:admin_or_owner",<br>    "compute:rebuild": "rule:admin_or_owner",<br>    "compute:reboot": "rule:admin_or_owner",<br>    "compute:start": "rule:admin_or_owner",<br>    "compute:stop": "rule:admin_or_owner"<br><br><br></div>Can you please point out what i am missing ?<br><br></div>Thank you,<br></div>Hamza<br><div><div><div><br><br>[1] <a href="https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html" target="_blank">https://specs.openstack.org/<wbr>openstack/nova-specs/specs/<wbr>newton/implemented/user-id-<wbr>based-policy-enforcement.html</a><br></div></div></div></div>
<br>______________________________<wbr>_________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.<wbr>openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-operators</a><br>
<br></blockquote></div><br></div>