16 May
2023
16 May
'23
3 a.m.
Hello,
I'm trying to understand if this is feasible: I would like to avoid a regular user from tampering the "default" security group of a project. Specifically I would like to prevent him from deleting sg rules *from the default sg only*
I can wite a policy.yaml like this
# Delete a security group rule # DELETE /security-group-rules/{id} # Intended scope(s): project "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s"
but this is sub-optimal since the regular member can still *add* rules...
Is it possible to create a rule like
"sg_is_default" : ...the sg group whose name is 'default'
so I can write
"delete_security_group_rule": "not rule:sg_is_default" ?
Thanks!
Paolo
--
Paolo Emilio Mazzon
System and Network Administrator
paoloemilio.mazzon[at]unipd.it
PNC - Padova Neuroscience Center
https://www.pnc.unipd.it
Via Orus 2/B - 35131 Padova, Italy
+39 049 821 2624