Ask Your Question

Can't find /etc/nova/policy.json

asked 2017-02-09 03:34:34 -0500

vgeorga gravatar image

updated 2017-02-09 03:36:02 -0500

I installed DevStack on a 16.04 ubuntu Server and I want to create rules regarding instance management. For example:

  • I want only admin user to be able to create an instance in any given project.
  • Users of a certain project to be able only to start and shutdown an instance and nothing more than that.

So after reading the openstack artivcle about policies [], I thought that the way to achieve this was to alter the /etc/nova/policy.json file but to my surprise there wasn't any policy file in /etc/nova. So I decided to create my sample policy.json file and populate with the line given below:

{ "compute:create": "role:admin" }

I used the policy in order to try and achive my first goal (only admin create instances), but creating the file had no effect to the behavior of the system.

Is nova policy deprecated ? How can I make these rules apply to my system?

Thank you for your time.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2017-02-09 04:39:41 -0500

updated 2017-02-09 04:42:49 -0500

If this is Newton, Nova's policies are built into the code, and no policy.json is deployed. If you are happy with the default policies, you don't need policy.json. If you need non-default policies, just create a policy.json like you did. Perhaps your rule has an incorrect key compute:create.

You can generate the default rules list with oslopolicy-policy-generator --namespace nova. This will also give you the correct key. See

edit flag offensive delete link more


Thank you very much!!!

vgeorga gravatar imagevgeorga ( 2017-02-09 05:07:25 -0500 )edit

Correct, syntax of the policy was wrong. But now that I created the policy.json file in /etc/nova, I get this warning when I issue the oslopolicy-policy-generator --namespace nova command: WARNING:oslo_policy.policy:Policies [u'os_compute_api:servers:create'] reference a rule that is not defined. ??

vgeorga gravatar imagevgeorga ( 2017-02-09 05:30:50 -0500 )edit

I think you need to remove the curly braces { and }

Bernd Bausch gravatar imageBernd Bausch ( 2017-02-09 05:42:09 -0500 )edit

I removed { } but I still get the same warning. By the way, in case it's important, I use DevStack and I'm wondering maybe I need to change this before I build with ./ I'm asumming of course..

vgeorga gravatar imagevgeorga ( 2017-02-09 05:59:57 -0500 )edit

I have a master devstack and don't get this error. The local.conf doesn't contain any option regarding this. Are you sure there is no typo, some non-printable character or so?

The error message seems to indicate that role:admin is somehow wrong.

Bernd Bausch gravatar imageBernd Bausch ( 2017-02-09 06:06:56 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2017-02-09 03:34:34 -0500

Seen: 2,336 times

Last updated: Feb 09 '17