tenant capabilities limitation : is it possible ?

asked 2016-01-15 08:12:39 -0500

Wohard gravatar image

Hey everyone.

I have a question about the tenant capabilities. is there a manner that the admin can at some moment reduce the capabilities of other tenants on their own instance (prevent actions such as start() or stop()) ?
in a more detailed manner : within an environment of two users "admin" and "demo" for example is it possible that the "admin" can prevent "demo" from managing his own instances ?

it will be better if the answer is within the context of Python API.

Thank you.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-01-18 06:47:35 -0500

capsali gravatar image

So admin and demo are users on same project right? I assume admin user has the role admin and demo user has role user . And the user demo spawned an instance. Now you want to limit the the demo users access to that instance right?

Well if this is the case than you must first change some rules in nova, cinder, neutron, etc. policies, depending on what restrictions you want to be applied. The simplest way that i can think of is to create a new role , say role restricted.

Than you edit nova policy.json and add a new rule like "restricted": "not role:restricted". Now let's say you want to restrict the user demo to deleting the instance he created. You edit the following line in nova policy.json "compute:delete": "rule:admin_or_owner and rule:restricted".

Bassically this rule states that any admin or project member can delete any instance from that project as long as they don;t have the role restricted assigned to them.

After this, if you assign the role restricted to the user demo, he will not be able to terminate the instance untill and admin removes this role.

This way you can modify whatever rule you want.

edit flag offensive delete link more


I don't know to simulate an IaaS offer on OpenStack. are the service provider and the customer going to have respectively admin and user "roles" within the same project. or both of them with admin roles but in different projects ?

Wohard gravatar imageWohard ( 2016-01-18 07:16:59 -0500 )edit

In a basic openstack config admin role is assigned to the cloud operator because this user will have access to everything, including changing/deleting/creating new users and projects. A project is the workspace for users (you can set quotas on projects). You can have multiple users in one project

capsali gravatar imagecapsali ( 2016-01-18 09:14:07 -0500 )edit

A user can be part of multiple projects too. Roles are the capabilities a user can excert in a project (i.e create/delete/update instances, create volumes, assign FIP, etc.). By default openstack creates two roles : admin and user/member.

capsali gravatar imagecapsali ( 2016-01-18 09:15:26 -0500 )edit

Admin role is used by the owner of the cloud, the provider. As admin you have control over every service of openstack, including creating/deleteing/updating projects/users and assigning roles. So the endclient should not have an admin role, only the cloud operator.

capsali gravatar imagecapsali ( 2016-01-18 09:16:56 -0500 )edit

User role has some restrictions, especially not having access to users/projects amongst other things. This role is suited for the end-user. You can review the acces a user role has if you look at the policy.json of every openstack service.

capsali gravatar imagecapsali ( 2016-01-18 09:18:47 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-01-15 08:12:39 -0500

Seen: 923 times

Last updated: Jan 18 '16