Ask Your Question
2

Limiting VM access to admin_or_owner in Grizzly

asked 2013-11-17 15:09:34 -0500

Izhar gravatar image

How can I create a rule in nova's policy.json file such that only the owner/admin of the VM can list/edit his VMs. The default behavior is that any user in the tenant can list/edit/delete any VM belonging to other users in the tenant. I want to ensure that only the admin role or the owner of the VM can have access to his instances. I have tried this:

"user": [["user_id:%(user_id)s"]], "admin_or_user": [["role:admin"], ["user_id:%(user_id)s"]],

and then created the rules as:

"compute: delete": "rule: admin_or_user",

But this does not work.

edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
2

answered 2013-11-18 06:11:36 -0500

Izhar gravatar image

I solved it. For reference, here is a snippet from my nova/policy.json

"owner": [["user_id:%(user_id)s"]],
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"compute:get": "rule:admin_or_user",
"compute:delete": "rule:admin_or_user",

This worked perfectly.

edit flag offensive delete link more

Comments

Hi, Izhar. I want to ensure that only the admin role or the owner of the VM can list his instances, too. But this rule doesn't works for me in Ocata release.

YCC gravatar imageYCC ( 2017-12-25 20:16:57 -0500 )edit
add a comment
0

answered 2018-06-09 07:02:05 -0500

yogeshtaneja gravatar image

Hi i am using redhat openstack 10. And i also want that only owner of a instance and admin should be able to list and delete the instances but i am not able to apply such policy. By default /etc/nova/policy.json is empty but their is one more file /etc/openstack-dashboard/nova-policy.json in compute as well as on controller. Where should i apply the changes and> can i do the changes

edit flag offensive delete link more
add a comment
0

answered 2014-03-10 05:55:58 -0500

Marco Marino gravatar image

This doesn't works for me in havana release. Have you some suggestion?

edit flag offensive delete link more

Comments

Hi, I am using redhat openstack 10 and want to apply policy that owner and admin should be able to see and delete the instances. /etc/nova/policy.json file is empty.But their is one file /etc/openstack-dashboard/nova-policy.json both on compute and controller. need to know what changes and how to do

yogeshtaneja gravatar imageyogeshtaneja ( 2018-06-09 07:04:58 -0500 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-11-17 15:09:34 -0500

Seen: 2,898 times

Last updated: Mar 10 '14

Related questions

increasing size of user data in nova api

keystone, cert_required and nova

nova list command process

What are typical numbers of nova-api processes on a controller?

why novncproxy_base_url is required on compute nova.conf

Nova compute.instance.create Notification

ip: SIOCGIFFLAGS: No such device

How to setup a bridge for multiple compute nodes?

Snapshot of Instances is Queued forever

Changing a volume bus type