Open Stack

On 02/17/2012 06:31 AM, Leander Bessa wrote:
> Hello,
>
> I was wondering if it would be possible to create custom roles in
> keystone. For instance, i would like to create a role which would allow
> a project owner to create/remove flavors without the intervention of an
> admin account.

I *think* this should be possible with the new policy support that was 
recently added.

Check out the /etc/nova/policy.json file. You should be able to edit 
that file to customize access to specific resource actions for a new 
role... (hint: look for compute_extension:flavormanage)

That said, policy.json is pretty undocumented, and when I wrote the doc 
for Glance's similar policy.json support 
(http://glance.openstack.org/policies.html) I knew I was missing a lot 
of context. Hopefully Brian Waldon (cc'd) can provide some more help to you.

Sidenote, though... if you allow a custom role to create a new flavor, 
would you allow anyone to launch an instance with that flavor?

-jay