[Openstack-operators] Nova Floating IPs and policy.json

Jay Pipes jaypipes at gmail.com
Thu Jun 26 18:41:52 UTC 2014


On 06/25/2014 10:33 PM, Scott Devoid wrote:
> Hi all, I am trying to configure my policy.json files so that only the
> instance owner (user not project) can associate or disassociate the
> floating IP. Users with the "admin" role and users with the
> "tenant_admin" role in the same tenant should also be allowed. The
> following settings have worked for other resources (instances, volumes,
> etc.) but don't work for floating ips.
>
> ...
>      "context_is_admin":  "role:admin",
>      "context_is_tenant_admin": "role:tenant_admin and
> project_id:%(project_id)s",
>      "admin_or_owner":  "is_admin:True or is_tenant_admin:True or
> user_id:%(user_id)s",
> ...
>      "network:associate_floating_ip": "rule:admin_or_owner",
>      "network:disassociate_floating_ip": "rule:admin_or_owner",
> ...
>
> With these settings, non-tenant_admin's can still associate and
> disassociate IPs for other user's instances. Is there another context
> attribute that I should be setting for floating IPs?

My suspicion is that for floating IPs, the "owner" is the project. 
Perhaps try adding a rule (if not there already) called 
"admin_or_project" and using that instead of admin_or_owner and seeing 
if that ruleset works instead. If it does, that means there is probably 
a bug in the floating IP code that views the owner as only the project, 
not the user.

Best,
-jay



More information about the OpenStack-operators mailing list