[neutron][horizon] disable permission to release floating ip for non-admin users
Folks, I want to disable permission or the horizon button or whatever best way to not allow end users to "Release floating IP" because I want them to stick with assigned IP and not releasing them because of some regulatory process. Not sure what is the best way to have this level of control. I found neutron policy delete_floatingip: but is this the correct way to implement this policy? OR Does Horizon have some level of ACL to remove buttons or disable it? Looking for advice or clues. Thanks!
Hi, Dnia wtorek, 27 lutego 2024 21:20:21 CET Satish Patel pisze:
Folks,
I want to disable permission or the horizon button or whatever best way to not allow end users to "Release floating IP" because I want them to stick with assigned IP and not releasing them because of some regulatory process.
Not sure what is the best way to have this level of control. I found neutron policy delete_floatingip: but is this the correct way to implement this policy?
This is good approach to do it in the Neutron. You need to look at the policy of the "update_floatingip" [1]. If You want to forbid only disassociate FIP You can try to add custom policy based on the field value, some example of such policy is done for RBAC API, see [2]. But I never tested something like that so you may need to play with it a bit.
OR
Does Horizon have some level of ACL to remove buttons or disable it?
That I have no idea about. Sorry.
Looking for advice or clues.
Thanks!
[1] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/float... [2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/rbac.... -- Slawek Kaplonski Principal Software Engineer Red Hat
On Wed, 28 Feb 2024 at 08:34, Sławek Kapłoński <skaplons@redhat.com> wrote:
Hi,
Dnia wtorek, 27 lutego 2024 21:20:21 CET Satish Patel pisze:
Folks,
I want to disable permission or the horizon button or whatever best way to
not allow end users to "Release floating IP" because I want them to stick
with assigned IP and not releasing them because of some regulatory process.
Not sure what is the best way to have this level of control. I found
neutron policy delete_floatingip: but is this the correct way to
implement this policy?
This is good approach to do it in the Neutron. You need to look at the policy of the "update_floatingip" [1]. If You want to forbid only disassociate FIP You can try to add custom policy based on the field value, some example of such policy is done for RBAC API, see [2]. But I never tested something like that so you may need to play with it a bit.
OR
Does Horizon have some level of ACL to remove buttons or disable it?
That I have no idea about. Sorry.
Horizon can be configured with a copy of service policy files which are used to verify actions: https://docs.openstack.org/horizon/latest/configuration/settings.html#policy... I haven't used these settings in a while, but given the presence of `allowed` functions in the floating IP code, I would hope it disables forbidden actions for floating IPs: https://opendev.org/openstack/horizon/src/tag/23.4.0/openstack_dashboard/das... Cheers, Pierre Riteau (priteau)
participants (3)
-
Pierre Riteau
-
Satish Patel
-
Sławek Kapłoński