<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>Yup. This is exactly what we do, with Neutron policy.json. I can confirm that this works and achieves what you need.</div>
<div><br>
</div>
<div>Mike</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Salvatore Orlando<br>
<span style="font-weight:bold">Date: </span>Saturday, May 16, 2015 at 12:54 AM<br>
<span style="font-weight:bold">To: </span>Giuseppa Muscianisi<br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>"<br>
<span style="font-weight:bold">Subject: </span>Re: [Openstack] modify policy for security group on neutron<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Perhaps you can achieve this by editing policy.json (located by default in /etc/neutron).
<div><br>
</div>
<div>For instance you can allow only admin users to add security group rules to any security group by specifying the following:</div>
<div><br>
</div>
<div>
<div>"create_security_group_rule": "admin_only"</div>
</div>
<div><br>
</div>
<div>Similar rules for update and deletion of security group rules will prevent you from modifying existing rules.</div>
<div>This same set of rules will anyway allow admin users to add rules to the default security group.</div>
<div><br>
</div>
<div>Salvatore</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 15 May 2015 at 09:31, Giuseppa Muscianisi <span dir="ltr">
<<a href="mailto:g.muscianisi@cineca.it" target="_blank">g.muscianisi@cineca.it</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Dear all,</p>
<p>in our openstack cluster, we would restrict the actions that users can do with security group and security group rules.</p>
<p>Here's what we'd like to achieve: 1. Lock down security group (and rules) so that only admin (or tenant admin?) can modify them. 2. Add additional rules to the default security group.</p>
<p>Can you please give me some advices on how to achieve these goals?</p>
<p>Thanks in advance, Giusy</p>
<pre cols="72">--
---------------------------------------------------------------
" Considerate la vostra semenza:
fatti non foste a viver come bruti,
ma per seguir virtute e canoscenza "
Dante Alighieri
Divina Commedia - Inferno - Canto XXVI
---------------------------------------------------------------
Giuseppa Muscianisi, Ph.D.
CINECA - SuperComputing, Applications and Innovation Department
Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO) - Italy
Phone: +39 051 6171 775
<a href="http://www.cineca.it" target="_blank">www.cineca.it</a></pre>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>