Restricting policy by operation

asked 2019-08-23 16:47:11 -0500

Tom King gravatar image

Some of the various policies don't stipulate the operation (GET, POST, PUT). For our immediate purpose, we are trying to create an auditor role that does GETs only so it can check services running.

In the nova policy file: "os_compute_api:os-services": "rule:admin_api or role:auditor"

We want to restrict role:auditor to GET only. The documentation doesn't mention any method to do this unless we get into RBAC.

Is this possible in the policies?

Thanks!

edit retag flag offensive close merge delete

Comments

If I understand the code right, there is indeed a single rule for all os-services APsI. To implement a rule that only allows read access to services, you would probably have to change the code.

By "code" I mean https://opendev.org/openstack/nova/sr....

Bernd Bausch gravatar imageBernd Bausch ( 2019-08-23 22:47:43 -0500 )edit