Ask Your Question
0

Prevent users of same project to delete each others instances

asked 2018-08-09 03:24:43 -0600

Robby gravatar image

Hallo Everyone, Is there a way to prevent users in the same project to delete each others instances?, I mean the user who created the instance should be able to delete his instance and admin too (not only admin) , but no one else.

to be more clear if there are 5 users in a project "Project1" they had created 5 instances from the dashboard, each owned by one, by default even if the users does not have access to each others instances they can still delete each others Instances from the dashboard.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2018-08-09 05:56:07 -0600

Interesting question. I have a Newton cloud where added the following to /etc/nova/policy.json. It had the intended effect:

"os_compute_api:servers:delete": "is_admin:True or user_id:%(user_id)s"

Note, however, that this rule will be effective for all projects. It might be possible to tweak it so that it only affects a given project, perhaps something like this:

"os_compute_api:servers:delete": "is_admin:True or (project_id:ID_OF_PROJECT1 and user_id:%(user_id)s) or (!project_id:ID_OF_PROJECT1 and project_id:%(project_id)s)"
edit flag offensive delete link more

Comments

Thanks a ton Bernd Bausch, its working now.....I was actually trying with admin_or_owner, that never worked

Robby gravatar imageRobby ( 2018-08-09 08:09:12 -0600 )edit

I am also trying to give access to the user who created the instance with his username not with sshkey, I am curious if you can help or give a link on how to get the user info and write a startup script? once again thanks a lot for your time :-)

Robby gravatar imageRobby ( 2018-08-09 08:12:33 -0600 )edit

user-data is the way to add a user, specifically cloud-config as documented here. See also https://docs.openstack.org/ocata/user....

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-09 08:41:07 -0600 )edit

Thanks for your time, what exactly I am looking for is to get the %(user_id) information, how can I get that information, so that I can apply it in startup script, how can I get access to the owner or creator of the instance automatically.

Robby gravatar imageRobby ( 2018-08-13 05:25:08 -0600 )edit

While I don't understand why the instance needs the user ID, I am afraid you need to find your own mechanism to pass that information to the instance. Metadata doesn't seem to include the user ID.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-13 19:58:27 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-08-09 03:24:43 -0600

Seen: 51 times

Last updated: Aug 09