[Openstack] Restricting volume attachment using policies
Tobias Urdin
tobias.urdin at crystone.com
Mon Feb 20 10:39:04 UTC 2017
On 02/20/2017 11:17 AM, Markus Hentsch wrote:
> Am 20.02.2017 um 10:01 schrieb Vincent Gatignol:
>> Le 20/02/2017 à 09:20, Markus Hentsch a écrit :
>>> Hello,
>>>
>>> I'm running a Newton setup where I'm trying to restrict the volume
>>> attachment actions using Nova's policy file.
>>>
>>> I want to check for both the VM ownership as well as the volume
>>> ownership, so that users should be unable to attach volumes if they
>>> aren't the owner of both the VM and the volume.
>>>
>> This is related to https://bugs.launchpad.net/nova/+bug/1539351
>> Openstack policies are mapped at the tenant/project level, not user
>>
>> Regards,
>> Vincent
> Dear Vincent,
>
> thanks for clarifying this!
>
>
> Kind regards,
>
> Markus Hentsch
> Cloud&Heat Technologies
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
Afaik the use of user_id was merged back in until keystone has the support.
See this spec that was merged in Newton.
http://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html
https://review.openstack.org/#/q/topic:bp/user_id_based_policy_enforcement,n,z
More information about the Openstack
mailing list