[ops][cinder] Policy for volume attach/detach
Massimo Sgaravatto
massimo.sgaravatto at gmail.com
Mon Apr 27 10:47:26 UTC 2020
I would like to set a policy so that attachments operations can be done
only by the user who created that volume. To do that I created this
[*] policy.yaml file.
I verified that with such policy file:
- I am able to attach volumes only for the volumes I created
- I can attach my volumes also to instances owned by other users
- I can not attach volumes belonging to other users to my instances
So far so good.
But I am allowed to detach any volume from any instance, even if I am not
the owner of that volume, and this is not what I want
What am I doing wrong ?
Thanks, Massimo
[*]
#
# To be used when another member of the same project can't change something
# created by another user of the same project
"admin_or_user": "is_admin:True or (role:admin and is_admin_project:True)
or user_id:%(user_id)s"
# Create attachment.
# POST /attachments
"volume:attachment_create": "rule:admin_or_user"
# Update attachment.
# PUT /attachments/{attachment_id}
"volume:attachment_update": "rule:admin_or_user"
# Delete attachment.
# DELETE /attachments/{attachment_id}
"volume:attachment_delete": "rule:admin_or_user"
# Mark a volume attachment process as completed (in-use)
# POST /attachments/{attachment_id}/action (os-complete)
"volume:attachment_complete": "rule:admin_or_user"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200427/36c86cf9/attachment.html>
More information about the openstack-discuss
mailing list