[nova] [ops] user_id based policy enforcement
Massimo Sgaravatto
massimo.sgaravatto at gmail.com
Wed Jun 3 06:18:41 UTC 2020
Hi
In my Rocky installation I am preventing users from deleting instances
created by other users of the same project.
This was implemented setting in the nova policy file:
"os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"
This works, even if in the nova log file I see:
The user_id attribute isn't supported in the rule
'os_compute_api:servers:delete'. All the user_id based policy enforcement
will be removed in the future.
Now I would also like preventing user to see the console log file of
instances created by other users. I set in the nova policy file:
"os_compute_api:os-console-output" : "rule:admin_api or user_id:%(user_id)s"
but this doesn't work
Any hints ?
More in general: were the user_id based policy eventually removed in latest
OpenStack releases ?
Which are then the possible alternatives to implement my use case ?
Thanks, Massimo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200603/96b138e9/attachment.html>
More information about the openstack-discuss
mailing list