Unable to disable volume-snapshots via Nova policy.json

asked 2016-12-16 13:40:33 -0500

thel1zardking gravatar image

I have yet to successfully disable volume snapshots via Nova's policy.json. I have attempted to edit the following two lines via "deny" and "allow" rules however this seems to have no impact on my OpenStack environment (IceHouse 2014.1.1). I can control this via quotas but would prefer to control this function via policy if at all possible. Any information would be greatly appreciated.

"compute:volume_snapshot_create": "rule:<rule>",
"compute:volume_snapshot_delete": "rule:<rule>",
edit retag flag offensive close merge delete


Volumes are managed by Cinder, not Nova. Use /etc/cinder/policy.json. If possible, use a more recent release of OpenStack.

Bernd Bausch gravatar imageBernd Bausch ( 2016-12-18 08:42:34 -0500 )edit

Unfortunately I am stuck on IceHouse for a little while longer as my users transition to our new environment. I have examined the Cinder policy, however I am fairly certain it is controlled by Nova. The command I am looking to prevent is nova volume-snapshot-create.

thel1zardking gravatar imagethel1zardking ( 2016-12-19 09:50:45 -0500 )edit

The URL below led me to the values mentioned above, however I cannot seem to get Nova to honor my rules.


thel1zardking gravatar imagethel1zardking ( 2016-12-19 09:51:54 -0500 )edit

It's true that I wouldn't know which entry in the Icehouse Cinder policy.json is relevant. To disable snapshots in Newton, it would be "volume:create_snapshot": "!" What exactly is your rule?

Bernd Bausch gravatar imageBernd Bausch ( 2016-12-19 18:29:53 -0500 )edit

In any case, nova volume-snapshot-create is a proxy API, meaning that Nova passes it on to Cinder. Nova hasn't managed volumes since prehistoric times (probably Folsom).

Bernd Bausch gravatar imageBernd Bausch ( 2016-12-19 18:31:57 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2016-12-23 12:57:12 -0500

thel1zardking gravatar image

Bernd Bausch, thanks for your help. I needed to write the rule a little differently in /etc/cinder/policy.json but it did the trick!

"volume:create_snapshot": [["!"]],
"volume:delete_snapshot": [["!"]],
edit flag offensive delete link more


Just because I like to have the last word: There are two syntax versions for policy.json, the older based on Javascript arrays, the newer closer to natural language and easier to read and write. My code snippet is the newer syntax, perhaps not yet supported in Icehouse.

Bernd Bausch gravatar imageBernd Bausch ( 2016-12-26 03:00:54 -0500 )edit

Anyway, glad you solved your problem.

Bernd Bausch gravatar imageBernd Bausch ( 2016-12-26 03:01:27 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-12-16 13:40:33 -0500

Seen: 147 times

Last updated: Dec 23 '16