[Openstack-operators] Nova Floating IPs and policy.json

Scott Devoid devoid at anl.gov
Thu Jun 26 02:33:51 UTC 2014


Hi all, I am trying to configure my policy.json files so that only the
instance owner (user not project) can associate or disassociate the
floating IP. Users with the "admin" role and users with the "tenant_admin"
role in the same tenant should also be allowed. The following settings have
worked for other resources (instances, volumes, etc.) but don't work for
floating ips.

...
    "context_is_admin":  "role:admin",
    "context_is_tenant_admin": "role:tenant_admin and
project_id:%(project_id)s",
    "admin_or_owner":  "is_admin:True or is_tenant_admin:True or
user_id:%(user_id)s",
...
    "network:associate_floating_ip": "rule:admin_or_owner",
    "network:disassociate_floating_ip": "rule:admin_or_owner",
...

With these settings, non-tenant_admin's can still associate and
disassociate IPs for other user's instances. Is there another context
attribute that I should be setting for floating IPs?

Thanks,
~ Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140625/04bf7e85/attachment.html>


More information about the OpenStack-operators mailing list