On Wed, 28 Feb 2024 at 08:34, Sławek Kapłoński <skaplons@redhat.com> wrote:

Hi,

Dnia wtorek, 27 lutego 2024 21:20:21 CET Satish Patel pisze:

> Folks,

>

> I want to disable permission or the horizon button or whatever best way to

> not allow end users to "Release floating IP" because I want them to stick

> with assigned IP and not releasing them because of some regulatory process.

>

> Not sure what is the best way to have this level of control. I found

> neutron policy delete_floatingip: but is this the correct way to

> implement this policy?

This is good approach to do it in the Neutron. You need to look at the policy of the "update_floatingip" [1]. If You want to forbid only disassociate FIP You can try to add custom policy based on the field value, some example of such policy is done for RBAC API, see [2]. But I never tested something like that so you may need to play with it a bit.

>

> OR

>

> Does Horizon have some level of ACL to remove buttons or disable it?

That I have no idea about. Sorry.

Horizon can be configured with a copy of service policy files which are used to verify actions: https://docs.openstack.org/horizon/latest/configuration/settings.html#policy-files

I haven't used these settings in a while, but given the presence of `allowed` functions in the floating IP code, I would hope it disables forbidden actions for floating IPs:

https://opendev.org/openstack/horizon/src/tag/23.4.0/openstack_dashboard/dashboards/project/floating_ips/tables.py#L91-L101

Cheers,

Pierre Riteau (priteau)