Changing Nova policy.json in devstack Rocky

asked 2019-09-12 03:45:09 -0500

AndyW gravatar image

Hi So for Nova, policy.json is in code (since Newton) and no policy.json file exists in /etc/nova To obtain the default policy file I made

oslopolicy-sample-generator  --namespace nova --output-file nova-policy.json

I then proceeded to make a few small edits to tweak rights (change some 'admin_or_owner' to just admin). I then copied this file into /etc/nova/policy.json and it seemed my test case (stop a VM for a User with a non-admin role was refused) worked.
BUT, documentation seems to suggest edits to policy.json are updated to Nova immediately , I seeemed to find that subsequent edits to policy.json were not being taken into account by Nova (is this file really consulted all the time or there's some process checking for modifications to it, or there's a polling interval for changes ?)

Secondly, as I understand it owner rights (as defined in nova's policy.json) seems quite wide ranging, any User allowed access to a Project (with any Role) seems to have Owner rights (true?). Seems to be defined by this line:

"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

(and there's a lot of actions allowed for admin_or_owner)

Finally, trying to create a user Role which is Read Only for the Project (i.e they can't modify anything) , this seems to be the Reader role , and trying this out some things seeemed to be readonly (ShutOff and HardReboot not allowed), but Pause/Suspend was allowed which is maybe surprising for the Reader role. Not sure how nova's policy.json treats the Reader role as the file I generated has no Reader role in the config.

edit retag flag offensive close merge delete


To answer the second question, indeed the owner of most if not all objects in a cloud is a project. Users with the same role in a project have the same privileges as far as this project's resources are concerned. You should be able to change this, partially at least, via the policy.

Bernd Bausch gravatar imageBernd Bausch ( 2019-09-12 11:01:33 -0500 )edit