Ask Your Question
2

Limiting VM access to admin_or_owner in Grizzly

asked 2013-11-17 15:09:34 -0600

Izhar gravatar image

How can I create a rule in nova's policy.json file such that only the owner/admin of the VM can list/edit his VMs. The default behavior is that any user in the tenant can list/edit/delete any VM belonging to other users in the tenant. I want to ensure that only the admin role or the owner of the VM can have access to his instances. I have tried this:

"user": [["user_id:%(user_id)s"]], "admin_or_user": [["role:admin"], ["user_id:%(user_id)s"]],

and then created the rules as:

"compute: delete": "rule: admin_or_user",

But this does not work.

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
2

answered 2013-11-18 06:11:36 -0600

Izhar gravatar image

I solved it. For reference, here is a snippet from my nova/policy.json

"owner": [["user_id:%(user_id)s"]],
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"compute:get": "rule:admin_or_user",
"compute:delete": "rule:admin_or_user",

This worked perfectly.

edit flag offensive delete link more

Comments

Hi, Izhar. I want to ensure that only the admin role or the owner of the VM can list his instances, too. But this rule doesn't works for me in Ocata release.

YCC gravatar imageYCC ( 2017-12-25 20:16:57 -0600 )edit
0

answered 2018-06-09 07:02:05 -0600

Hi i am using redhat openstack 10. And i also want that only owner of a instance and admin should be able to list and delete the instances but i am not able to apply such policy. By default /etc/nova/policy.json is empty but their is one more file /etc/openstack-dashboard/nova-policy.json in compute as well as on controller. Where should i apply the changes and> can i do the changes

edit flag offensive delete link more
0

answered 2014-03-10 05:55:58 -0600

Marco Marino gravatar image

This doesn't works for me in havana release. Have you some suggestion?

edit flag offensive delete link more

Comments

Hi, I am using redhat openstack 10 and want to apply policy that owner and admin should be able to see and delete the instances. /etc/nova/policy.json file is empty.But their is one file /etc/openstack-dashboard/nova-policy.json both on compute and controller. need to know what changes and how to do

yogeshtaneja gravatar imageyogeshtaneja ( 2018-06-09 07:04:58 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2013-11-17 15:09:34 -0600

Seen: 2,759 times

Last updated: Mar 10 '14