IIRC glance uses owner instead of project_id as the field in various places representing the tenant that owns the object. Perhaps you might try “project_id:%(owner)s” Vish On May 2, 2014, at 7:21 AM, Michael Hearn <mrhearn at gmail.com> wrote: > Having played with the policies and rules within glance's policy.json file I have not had any success using the rule, "project_id:%(project_id)" to restrict api usage. > Without changing user/role/tenant I have had success using project_id:%(project_id)" with cinder. > I cannot find anything to suggest glance's policy engine cannot parse the rule but would like confirmation. > Can anyone verify this?. > > This is using icehouse, glance 0.12.0 > > ~Mike > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140626/0b13d068/attachment.sig>