On 07/02/2015 03:10 AM, masoom alam wrote: > Hi every one, > > The glance policy.json allows specific users/roles to download an > image. If we apply a policy on a specific role, only that role can > download and/or boot an image. > > What if we want to restrict downloading an image, but at the same time > allowing the user to boot it via nova boot. The catch is that we will > have to restrict the user from taking the snapshot right? Can glance > can differentiate between user downloading an image and nova doing the > same on the behalf of a user. No, as it is done with a token. The token is passed to nova, and nova passes it to glance to perform the action. If snapshot is a different API call than download, then you apply a different role for each, and make sure that tokens passed ot Nova do not have the "snapshot" role in it. It is issues like this that are making me try to drive the Dynamic Policy effort in Keystone. My initial write up is here: https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ And the wiki is here: https://wiki.openstack.org/wiki/DynamicPolicies I'd love to have your input on the process. > > OR how to solve the puzzle, please guide. > > Thanks > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150702/a14a1193/attachment.html>