[neutron] policy rules: filter on name field
Paolo Emilio Mazzon
paoloemilio.mazzon at unipd.it
Tue May 16 10:00:34 UTC 2023
Hello,
I'm trying to understand if this is feasible: I would like to avoid a regular user from
tampering the "default" security group of a project. Specifically I would like to prevent
him from deleting sg rules *from the default sg only*
I can wite a policy.yaml like this
# Delete a security group rule
# DELETE /security-group-rules/{id}
# Intended scope(s): project
"delete_security_group_rule": "role:project_manager and project_id:%(project_id)s"
but this is sub-optimal since the regular member can still *add* rules...
Is it possible to create a rule like
"sg_is_default" : ...the sg group whose name is 'default'
so I can write
"delete_security_group_rule": "not rule:sg_is_default" ?
Thanks!
Paolo
--
Paolo Emilio Mazzon
System and Network Administrator
paoloemilio.mazzon[at]unipd.it
PNC - Padova Neuroscience Center
https://www.pnc.unipd.it
Via Orus 2/B - 35131 Padova, Italy
+39 049 821 2624
More information about the openstack-discuss
mailing list