Open Stack

 ---- On Tue, 16 May 2023 07:25:52 -0700  Slawek Kaplonski  wrote --- 
 > Hi,
 > 
 > Dnia wtorek, 16 maja 2023 12:00:34 CEST Paolo Emilio Mazzon pisze:
 > > Hello,
 > > 
 > > I'm trying to understand if this is feasible: I would like to avoid a regular user from 
 > > tampering the "default" security group of a project. Specifically I would like to prevent 
 > > him from deleting sg rules *from the default sg only*
 > > 
 > > I can wite a policy.yaml like this
 > > 
 > > # Delete a security group rule
 > > # DELETE  /security-group-rules/{id}
 > > # Intended scope(s): project
 > > "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s"
 > > 
 > > but this is sub-optimal since the regular member can still *add* rules...
 > > 
 > > Is it possible to create a rule like
 > > 
 > > "sg_is_default" : ...the sg group whose name is 'default'
 > > 
 > > so I can write
 > > 
 > > "delete_security_group_rule": "not rule:sg_is_default" ?
 > > 
 > > Thanks!
 > 
 > I'm not sure but I will try to check it later today or tomorrow morning and will let You know if that is possible or not.

'not' operator is supported in oslo policy. I think the below one should work which allows admin to delete the default SG and manager role
can delete only non-default SG.

NOTE: I have not tested this, may be you can check while trying other combinations.

"delete_security_group_rule": "role:project_manager and project_id:%(project_id)s and not 'default':%(name)s or 'default':%(name)s and role:admin"

-gmann

 > 
 > > 
 > >     Paolo
 > > 
 > > -- 
 > >   Paolo Emilio Mazzon
 > >   System and Network Administrator
 > > 
 > >   paoloemilio.mazzon[at]unipd.it
 > > 
 > >   PNC - Padova Neuroscience Center
 > >   https://www.pnc.unipd.it
 > >   Via Orus 2/B - 35131 Padova, Italy
 > >   +39 049 821 2624
 > > 
 > > 
 > 
 > 
 > -- 
 > Slawek Kaplonski
 > Principal Software Engineer
 > Red Hat