[Openstack-operators] Modification in nova policy file

Joseph Bajin josephbajin at gmail.com
Wed May 6 14:12:34 UTC 2015


The Policy file is not a filtering agent.   It basically just provides ACL
type of abilities.

"Can you do this action?  True/False"
"Do you have the right permissions to call this action? True/False"

If you wanted to pull back just the instances that the user owns, then you
would actually have to write some code that would call that particular
filtering action.



On Tue, May 5, 2015 at 11:01 AM, Salman Toor <salman.toor at it.uu.se> wrote:

>  Hi,
>
>
>  I am trying to setup the policies for nova. Can you please have a look
> if thats correct?
>
>
>  nova/policy.json
> ————————————————————————————————
> "context_is_admin":  "role:admin",
> "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
> "owner":  "user_id:%(user_id)s",
> "admin_or_user": "is_admin:True or user_id:%(user_id)s",
> "default": "rule:admin_or_owner”,
>
>  "compute:get_all": “rule:admin_or_user",
>  ————————————————————————————————
>
>  I want users to only see there own instances, not the instances of all
> the users in the same tenant.
>
>  I have restarted the nova-api service on controller, but no effect. I
> have noticed that if I put “rule:context_is_admin”  in “compute:get_all"
> than except “admin" no one can see anything so system is reading the file
> correctly.
>
>  Important:
>
>  1 - I haven’t changed the  /etc/openstack-dashboard/nova_policy.json
>
>  2 - I have only used the command line client tool to confirm the
> behaviour.
>
>  I am running Juno release.
>
>  Please point to some document that discuss all the policy parameters.
>
>  Thanks in advance.
>
>  /Salman
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150506/6ac4fdf5/attachment.html>


More information about the OpenStack-operators mailing list