Ask Your Question
2

Limiting VM access to admin_or_owner in Grizzly

asked 2013-11-17 15:09:34 -0500

Izhar gravatar image

How can I create a rule in nova's policy.json file such that only the owner/admin of the VM can list/edit his VMs. The default behavior is that any user in the tenant can list/edit/delete any VM belonging to other users in the tenant. I want to ensure that only the admin role or the owner of the VM can have access to his instances. I have tried this:

"user": [["user_id:%(user_id)s"]], "admin_or_user": [["role:admin"], ["user_id:%(user_id)s"]],

and then created the rules as:

"compute: delete": "rule: admin_or_user",

But this does not work.

edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
2

answered 2013-11-18 06:11:36 -0500

Izhar gravatar image

I solved it. For reference, here is a snippet from my nova/policy.json

"owner": [["user_id:%(user_id)s"]],
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"compute:get": "rule:admin_or_user",
"compute:delete": "rule:admin_or_user",

This worked perfectly.

edit flag offensive delete link more

Comments

Hi, Izhar. I want to ensure that only the admin role or the owner of the VM can list his instances, too. But this rule doesn't works for me in Ocata release.

YCC gravatar imageYCC ( 2017-12-25 20:16:57 -0500 )edit
add a comment
0

answered 2018-06-09 07:02:05 -0500

yogeshtaneja gravatar image

Hi i am using redhat openstack 10. And i also want that only owner of a instance and admin should be able to list and delete the instances but i am not able to apply such policy. By default /etc/nova/policy.json is empty but their is one more file /etc/openstack-dashboard/nova-policy.json in compute as well as on controller. Where should i apply the changes and> can i do the changes

edit flag offensive delete link more
add a comment
0

answered 2014-03-10 05:55:58 -0500

Marco Marino gravatar image

This doesn't works for me in havana release. Have you some suggestion?

edit flag offensive delete link more

Comments

Hi, I am using redhat openstack 10 and want to apply policy that owner and admin should be able to see and delete the instances. /etc/nova/policy.json file is empty.But their is one file /etc/openstack-dashboard/nova-policy.json both on compute and controller. need to know what changes and how to do

yogeshtaneja gravatar imageyogeshtaneja ( 2018-06-09 07:04:58 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-11-17 15:09:34 -0500

Seen: 2,692 times

Last updated: Mar 10 '14

Related questions

nova-api cause controller high cpu usage

Authentication Error using API on Grizzly

Can you restrict a user or tenant to a Cinder volume type?

Nova services do not start [closed]

Getting HTTP 500 when creating new instance [closed]

Grizzly separate installation nodes

security group not found for project

TroubleShooting Openstack

HA and Load Balancing

Volume did not finish being created even after we waited some seconds