[neutron] policy rules: filter on name field
Slawek Kaplonski
skaplons at redhat.com
Tue May 16 14:25:52 UTC 2023
Hi,
Dnia wtorek, 16 maja 2023 12:00:34 CEST Paolo Emilio Mazzon pisze:
> Hello,
>
> I'm trying to understand if this is feasible: I would like to avoid a regular user from
> tampering the "default" security group of a project. Specifically I would like to prevent
> him from deleting sg rules *from the default sg only*
>
> I can wite a policy.yaml like this
>
> # Delete a security group rule
> # DELETE /security-group-rules/{id}
> # Intended scope(s): project
> "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s"
>
> but this is sub-optimal since the regular member can still *add* rules...
>
> Is it possible to create a rule like
>
> "sg_is_default" : ...the sg group whose name is 'default'
>
> so I can write
>
> "delete_security_group_rule": "not rule:sg_is_default" ?
>
> Thanks!
I'm not sure but I will try to check it later today or tomorrow morning and will let You know if that is possible or not.
>
> Paolo
>
> --
> Paolo Emilio Mazzon
> System and Network Administrator
>
> paoloemilio.mazzon[at]unipd.it
>
> PNC - Padova Neuroscience Center
> https://www.pnc.unipd.it
> Via Orus 2/B - 35131 Padova, Italy
> +39 049 821 2624
>
>
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230516/df995f3b/attachment.sig>
More information about the openstack-discuss
mailing list