[Openstack-operators] Nova 2.1 and user permissions in the policy file

Sean Dague sean at dague.net
Wed May 25 15:36:28 UTC 2016

On 05/23/2016 10:24 AM, Tim Bell wrote:
> Quick warning for those who are dependent on the "user_id:%(user_id)s"
> syntax for limiting actions by user. According to 
> https://bugs.launchpad.net/nova/+bug/1539351, this behavior was
> apparently not intended according to the bug report feedback. The
> behavior has changed from v2 to v2.1 and the old syntax no longer works.
> There can be security implications also so I’d recommend those using
> this current v2 feature to review the bug to understand the potential
> impacts as clouds enable v2.1.

The Nova team is currently lacking information about the minimum number
of user_id supporting policy points are needed. Because supporting
user_id everywhere is definitely not going to be an option.

We really need very detailed lists of which actions are required, and
why. And for all server actions why "lock" action is not sufficient. And
we need all of that by N1, which is in a week. With that we can evaluate
what can be added to the API stack. Especially because this all needs
tests so it doesn't regress. So if we can keep it at a small number of
operations, it is way more likely to happen. If this grows to
"everything", it definitely won't.

It would honestly be great if people affected by this could also
prioritize top to bottom what operations are most important. Detailed
use case and priority is really needed to figure out what can be done.


Sean Dague

More information about the OpenStack-operators mailing list