[Openstack-operators] User_id Based Policy Enforcement
Hamza Achi
h16mara at gmail.com
Sun Jan 15 07:44:31 UTC 2017
Hello,
According to this Nova-spec of Newton release [1], user_id:%(user_id)s
syntax should work to constrain some operations to user_id instead of
project_id. Like deleting and rebuilding VMs.
But it is not working, users within the same project can delete,
rebuild......the VMs of each other. i added these rules in
/etc/nova/policy.json (i used devstack stable/newton branch):
"admin_required": "role:admin or is_admin:1",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"compute:delete": "rule:admin_or_owner",
"compute:resize": "rule:admin_or_owner",
"compute:rebuild": "rule:admin_or_owner",
"compute:reboot": "rule:admin_or_owner",
"compute:start": "rule:admin_or_owner",
"compute:stop": "rule:admin_or_owner"
Can you please point out what i am missing ?
Thank you,
Hamza
[1]
https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170115/48f73b35/attachment.html>
More information about the OpenStack-operators
mailing list