---- On Tue, 16 May 2023 07:25:52 -0700 Slawek Kaplonski wrote ---
Hi,
Dnia wtorek, 16 maja 2023 12:00:34 CEST Paolo Emilio Mazzon pisze:
Hello,
I'm trying to understand if this is feasible: I would like to avoid a regular user from tampering the "default" security group of a project. Specifically I would like to prevent him from deleting sg rules *from the default sg only*
I can wite a policy.yaml like this
# Delete a security group rule # DELETE /security-group-rules/{id} # Intended scope(s): project "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s"
but this is sub-optimal since the regular member can still *add* rules...
Is it possible to create a rule like
"sg_is_default" : ...the sg group whose name is 'default'
so I can write
"delete_security_group_rule": "not rule:sg_is_default" ?
Thanks!
I'm not sure but I will try to check it later today or tomorrow morning and will let You know if that is possible or not.
'not' operator is supported in oslo policy. I think the below one should work which allows admin to delete the default SG and manager role can delete only non-default SG. NOTE: I have not tested this, may be you can check while trying other combinations. "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s and not 'default':%(name)s or 'default':%(name)s and role:admin" -gmann
Paolo
-- Paolo Emilio Mazzon System and Network Administrator
paoloemilio.mazzon[at]unipd.it
PNC - Padova Neuroscience Center https://www.pnc.unipd.it Via Orus 2/B - 35131 Padova, Italy +39 049 821 2624
-- Slawek Kaplonski Principal Software Engineer Red Hat