[Openstack-operators] User_id Based Policy Enforcement

Hamza Achi h16mara at gmail.com
Mon Jan 16 09:14:23 UTC 2017 

Dear Jerome and Massimo,

Thank you both for your responses.
I thought this feature is already implemented because its blueprint states
so:
https://blueprints.launchpad.net/nova/+spec/user-id-based-policy-enforcement

Regards,
Hamza


On 16 January 2017 at 08:26, Jerome Pansanel <jerome.pansanel at iphc.cnrs.fr>
wrote:

> Dear Hamza,
>
> You may contact the primary assignee to get the status of this feature:
> https://specs.openstack.org/openstack/nova-specs/specs/
> newton/implemented/user-id-based-policy-enforcement.html
>
> Best regards,
>
> Jerome Pansanel
>
> Le 15/01/2017 à 08:44, Hamza Achi a écrit :
> > Hello,
> >
> > According to this Nova-spec of Newton release [1], user_id:%(user_id)s
> > syntax should work to constrain some operations to user_id instead of
> > project_id. Like deleting and rebuilding VMs.
> >
> > But it is not working, users within the same project can delete,
> > rebuild......the VMs of each other. i added these rules in
> > /etc/nova/policy.json (i used devstack stable/newton branch):
> >
> >     "admin_required": "role:admin or is_admin:1",
> >     "owner" : "user_id:%(user_id)s",
> >     "admin_or_owner": "rule:admin_required or rule:owner",
> >     "compute:delete": "rule:admin_or_owner",
> >     "compute:resize": "rule:admin_or_owner",
> >     "compute:rebuild": "rule:admin_or_owner",
> >     "compute:reboot": "rule:admin_or_owner",
> >     "compute:start": "rule:admin_or_owner",
> >     "compute:stop": "rule:admin_or_owner"
> >
> >
> > Can you please point out what i am missing ?
> >
> > Thank you,
> > Hamza
> >
> >
> > [1]
> > https://specs.openstack.org/openstack/nova-specs/specs/
> newton/implemented/user-id-based-policy-enforcement.html
> >
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
>
>
> --
> Jerome Pansanel, PhD
> Technical Director at France Grilles
> Grid & Cloud Computing Operations Manager at IPHC
> IPHC                        ||  GSM: +33 (0)6 25 19 24 43
> 23 rue du Loess, BP 28      ||  Tel: +33 (0)3 88 10 66 24
> F-67037 STRASBOURG Cedex 2  ||  Fax: +33 (0)3 88 10 62 34
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170116/f97ba9b0/attachment.html>

More information about the OpenStack-operators mailing list