On Wed, 28 Feb 2024 at 08:34, Sławek Kapłoński <skaplons@redhat.com> wrote:
Hi,
Dnia wtorek, 27 lutego 2024 21:20:21 CET Satish Patel pisze:
Folks,
I want to disable permission or the horizon button or whatever best way to
not allow end users to "Release floating IP" because I want them to stick
with assigned IP and not releasing them because of some regulatory process.
Not sure what is the best way to have this level of control. I found
neutron policy delete_floatingip: but is this the correct way to
implement this policy?
This is good approach to do it in the Neutron. You need to look at the policy of the "update_floatingip" [1]. If You want to forbid only disassociate FIP You can try to add custom policy based on the field value, some example of such policy is done for RBAC API, see [2]. But I never tested something like that so you may need to play with it a bit.
OR
Does Horizon have some level of ACL to remove buttons or disable it?
That I have no idea about. Sorry.
Horizon can be configured with a copy of service policy files which are used to verify actions: https://docs.openstack.org/horizon/latest/configuration/settings.html#policy... I haven't used these settings in a while, but given the presence of `allowed` functions in the floating IP code, I would hope it disables forbidden actions for floating IPs: https://opendev.org/openstack/horizon/src/tag/23.4.0/openstack_dashboard/das... Cheers, Pierre Riteau (priteau)