neutron policy didn't work

asked 2016-10-17 14:22:25 -0500

trubach gravatar image

Hi, In some project I want to deny admin user create a router in openstack (mitaka). In policy.json file i create new rule like this:

"deny_route": "role:admin and project_id:0b0b995694234521bf93c792ed44247f"

Next change the field "create_router" to:

"create_router": "role:admin and not rule:deny_route",

But after that admin user can create router. Could you tell me thats wrong?

edit retag flag offensive close merge delete

Comments

You restarted all Neutron services to take this into effect ?

sunnyarora gravatar imagesunnyarora ( 2016-10-17 22:44:54 -0500 )edit

Why? in offical doc's i see: any changes to policy.json are effective immediately, which allows new policies to be implemented while the service is running

trubach gravatar imagetrubach ( 2016-10-18 01:32:28 -0500 )edit
1

admin and not (admin and projectID) translates to (admin and not admin) or (admin and not projectID). The first part is always false, and the second part allows only admin to create the router, except under the given project ID. That project can't create a router at all. Is that what you want?

Bernd Bausch gravatar imageBernd Bausch ( 2016-10-18 04:23:02 -0500 )edit

If that is what you want, perhaps the project ID must be expressed differently. Try adding the dashes.

Bernd Bausch gravatar imageBernd Bausch ( 2016-10-18 04:23:55 -0500 )edit

thx a lot. this is that i want

trubach gravatar imagetrubach ( 2016-10-18 10:10:10 -0500 )edit