Ask Your Question

policy management

asked 2014-01-03 17:45:13 -0500

kfox1111 gravatar image

I have Jenkins building images for me. I would like it to be able to upload images to glance for one of my tenants and also to be able to look at running instances to see images used so it can delete images from glance that haven't been used in a while. I really don't need or want this user to be able to do anything else.

It looks like I could edit the policy.json file for every OpenStack project (nova, cinder, glance, heat...) but that looks like a ton of work, and hard to maintain when updated policy comes out.

Is there a better way to do this? To disable all but a few api calls for a user on a tenant? Maybe a keystone policy api or trusts?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-01-04 03:10:41 -0500

tim-bell gravatar image

If you only requirement is to upload images for tenants, you could have a look at image sharing ( ). You build the images, upload them to your jenkins building tenant and then share the images with the appropriate projects.

edit flag offensive delete link more


I'm hoping to let it be able to see running instances so that it can clean out images that have not been used in a while. I'm generating updated images automatically that are up to date so they launch quickly, but don't want old images piling up. It shouldn't be able to delete instances though.

kfox1111 gravatar imagekfox1111 ( 2014-01-06 11:48:20 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-01-03 17:45:13 -0500

Seen: 159 times

Last updated: Jan 04 '14