limit instance administration via policy.json

asked 2017-07-17 12:31:45 -0600

jamesopst gravatar image

updated 2017-07-17 16:17:30 -0600

i would like to limit what users can do to instances created by other users in the Project

for example if User1 creates an instance. User2 should not have the rights to reboot it. I understand I need to use policy.json for this. I have tried an number of methods

"os_compute_api:servers:reboot": "user_id:%(user_id)s",

"os_compute_api:servers:reboot": "user_id:%(target.user.id)s",

"os_compute_api:servers:reboot": "user_id:%(target.credential.user_id)s",

I was able to get what I needed by giving User1 and User2 different roles in the Project. But that doesn't help when User3 is added to the scenario.

"os_compute_api:servers:reboot": "role:User1_Role",

please advise, I must be missing something, I am using a 3 server RDO Newton environment.

a second quick question: can I limit the instances that User2 can see in Horizon? So that User2 can only see the instances s/he has created or owns and not even see User1/3's instances?

thanks

edit retag flag offensive close merge delete

Comments

Sorry for commenting without providing a clue, but if you want to separate users from each other that strictly, why don't you put them in different projects?

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-17 20:51:32 -0600 )edit

Adjust roles, users and policy.json accordingly. You should be able to do this.

hr858f gravatar imagehr858f ( 2017-07-18 09:17:11 -0600 )edit

I'm with Bernd on this one - that's what separate projects are for. You appear to be trying to go about this the hard way.

rbowen gravatar imagerbowen ( 2017-07-19 15:49:01 -0600 )edit

thanks gentlemen, I had also thought about using different projects. the only thing is I know that my management will want a different project for each single user then. which also seems to be the wrong way to do this, but i can go that route.

jamesopst gravatar imagejamesopst ( 2017-07-20 14:03:42 -0600 )edit

hr858f can you explain a little bit about what you meant "adjusting roles"? say if I have 3 users do I create 3 roles? thanks

jamesopst gravatar imagejamesopst ( 2017-07-20 14:07:53 -0600 )edit