<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Salvatore, <br>
as you wrote, it works. Thanks a lot.<br>
<br>
Regarding to my second question "Add additional rules to the
default security group", I would add rules in the "default" of the
"default security group". In other words, I'm able to modify each
security group named "default" of each tenant, but I would add
rules to the default rules of the default security group (at the
moment they are only 4), so that I don't have to modify the rules
of the default security group every time for each tenant. <br>
<br>
Do you have any suggestion? <br>
<br>
Thanks. Giusy <br>
<br>
<br>
Il 17/05/2015 20:36, Mike Dorman ha scritto:<br>
</div>
<blockquote
cite="mid:EE1A0CFC-97AF-4AE2-883F-2F02BE3E73DF@godaddy.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>
<div>Yup. This is exactly what we do, with Neutron
policy.json. I can confirm that this works and achieves
what you need.</div>
<div><br>
</div>
<div>Mike</div>
<div><br>
</div>
<div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Salvatore Orlando<br>
<span style="font-weight:bold">Date: </span>Saturday, May 16,
2015 at 12:54 AM<br>
<span style="font-weight:bold">To: </span>Giuseppa Muscianisi<br>
<span style="font-weight:bold">Cc: </span>"<a
moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>"<br>
<span style="font-weight:bold">Subject: </span>Re:
[Openstack] modify policy for security group on neutron<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Perhaps you can achieve this by editing
policy.json (located by default in /etc/neutron).
<div><br>
</div>
<div>For instance you can allow only admin users to add
security group rules to any security group by specifying
the following:</div>
<div><br>
</div>
<div>
<div>"create_security_group_rule": "admin_only"</div>
</div>
<div><br>
</div>
<div>Similar rules for update and deletion of security
group rules will prevent you from modifying existing
rules.</div>
<div>This same set of rules will anyway allow admin users
to add rules to the default security group.</div>
<div><br>
</div>
<div>Salvatore</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 15 May 2015 at 09:31, Giuseppa
Muscianisi <span dir="ltr">
<<a moz-do-not-send="true"
href="mailto:g.muscianisi@cineca.it" target="_blank">g.muscianisi@cineca.it</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Dear all,</p>
<p>in our openstack cluster, we would restrict the
actions that users can do with security group and
security group rules.</p>
<p>Here's what we'd like to achieve: 1. Lock down
security group (and rules) so that only admin (or
tenant admin?) can modify them. 2. Add additional
rules to the default security group.</p>
<p>Can you please give me some advices on how to
achieve these goals?</p>
<p>Thanks in advance, Giusy</p>
<pre cols="72">--
---------------------------------------------------------------
" Considerate la vostra semenza:
fatti non foste a viver come bruti,
ma per seguir virtute e canoscenza "
Dante Alighieri
Divina Commedia - Inferno - Canto XXVI
---------------------------------------------------------------
Giuseppa Muscianisi, Ph.D.
CINECA - SuperComputing, Applications and Innovation Department
Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO) - Italy
Phone: +39 051 6171 775
<a moz-do-not-send="true" href="http://www.cineca.it" target="_blank">www.cineca.it</a></pre>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>