[Openstack-operators] Nova 2.1 and user permissions in the policy file

Sean Dague sean at dague.net
Tue May 24 13:01:59 UTC 2016

On 05/23/2016 11:56 AM, Tim Bell wrote:
> On 23/05/16 17:02, "Sean Dague" <sean at dague.net> wrote:
>> On 05/23/2016 10:24 AM, Tim Bell wrote:
>>> Quick warning for those who are dependent on the "user_id:%(user_id)s"
>>> syntax for limiting actions by user. According to 
>>> https://bugs.launchpad.net/nova/+bug/1539351, this behavior was
>>> apparently not intended according to the bug report feedback. The
>>> behavior has changed from v2 to v2.1 and the old syntax no longer works.
>> Well, the behavior changes with the backend code base. By mitaka the
>> default backend code for both is the same. And the legacy code base is
>> about to be removed.
>> This feature (policy enforcement by user_id) was 100% untested, which is
>> why it never ended up in the new API stack. Being untested setting
>> owner: 'user_id: %(user_id)s' might have some really unexpected results
>> because not everything has a user_id.
> There are several hints given in the documentation regarding this sort of feature. 
> Examples are such as http://docs.openstack.org/developer/oslo.policy/api.html and http://docs.openstack.org/mitaka/config-reference/policy-json-file.html#examples

Ok, follow on question.

Is the concern that within a large tenant you do not want user A to
accidentally reboot user B's server? Would the "lock" construct be
sufficient here for users that have servers in critical states?

Are all the failure domains these kinds of failures? Or what is the
detailed list of bad interactions that you are concerned about.


Sean Dague

More information about the OpenStack-operators mailing list