[Openstack-operators] User_id Based Policy Enforcement

Hamza Achi h16mara at gmail.com
Sun Jan 15 07:44:31 UTC 2017


Hello,

According to this Nova-spec of Newton release [1], user_id:%(user_id)s
syntax should work to constrain some operations to user_id instead of
project_id. Like deleting and rebuilding VMs.

But it is not working, users within the same project can delete,
rebuild......the VMs of each other. i added these rules in
/etc/nova/policy.json (i used devstack stable/newton branch):

    "admin_required": "role:admin or is_admin:1",
    "owner" : "user_id:%(user_id)s",
    "admin_or_owner": "rule:admin_required or rule:owner",
    "compute:delete": "rule:admin_or_owner",
    "compute:resize": "rule:admin_or_owner",
    "compute:rebuild": "rule:admin_or_owner",
    "compute:reboot": "rule:admin_or_owner",
    "compute:start": "rule:admin_or_owner",
    "compute:stop": "rule:admin_or_owner"


Can you please point out what i am missing ?

Thank you,
Hamza


[1]
https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170115/48f73b35/attachment.html>


More information about the OpenStack-operators mailing list