[nova] [ops] user_id based policy enforcement

Massimo Sgaravatto massimo.sgaravatto at gmail.com
Wed Jun 3 06:18:41 UTC 2020


In my Rocky installation I am preventing users from deleting instances
created by other users of the same project.
This was implemented setting in the nova policy file:

"os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"

This works, even if in the nova log file I see:

The user_id attribute isn't supported in the rule
'os_compute_api:servers:delete'. All the user_id based policy enforcement
will be removed in the future.

Now I would also like preventing user to see the console log file of
instances created by other users. I set in the nova policy file:

"os_compute_api:os-console-output" : "rule:admin_api or user_id:%(user_id)s"

but this doesn't work

Any hints ?

More in general: were the user_id based policy eventually removed in latest
OpenStack releases ?
Which are then the  possible alternatives to implement my use case ?

Thanks, Massimo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200603/96b138e9/attachment.html>

More information about the openstack-discuss mailing list