Hi, Dnia wtorek, 16 maja 2023 12:00:34 CEST Paolo Emilio Mazzon pisze:
Hello,
I'm trying to understand if this is feasible: I would like to avoid a regular user from tampering the "default" security group of a project. Specifically I would like to prevent him from deleting sg rules *from the default sg only*
I can wite a policy.yaml like this
# Delete a security group rule # DELETE /security-group-rules/{id} # Intended scope(s): project "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s"
but this is sub-optimal since the regular member can still *add* rules...
Is it possible to create a rule like
"sg_is_default" : ...the sg group whose name is 'default'
so I can write
"delete_security_group_rule": "not rule:sg_is_default" ?
Thanks!
I'm not sure but I will try to check it later today or tomorrow morning and will let You know if that is possible or not.
Paolo
-- Paolo Emilio Mazzon System and Network Administrator
paoloemilio.mazzon[at]unipd.it
PNC - Padova Neuroscience Center https://www.pnc.unipd.it Via Orus 2/B - 35131 Padova, Italy +39 049 821 2624
-- Slawek Kaplonski Principal Software Engineer Red Hat