Ask Your Question
0

policy management

asked 2014-01-03 17:45:13 -0500

kfox1111 gravatar image

I have Jenkins building images for me. I would like it to be able to upload images to glance for one of my tenants and also to be able to look at running instances to see images used so it can delete images from glance that haven't been used in a while. I really don't need or want this user to be able to do anything else.

It looks like I could edit the policy.json file for every OpenStack project (nova, cinder, glance, heat...) but that looks like a ton of work, and hard to maintain when updated policy comes out.

Is there a better way to do this? To disable all but a few api calls for a user on a tenant? Maybe a keystone policy api or trusts?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-01-04 03:10:41 -0500

tim-bell gravatar image

If you only requirement is to upload images for tenants, you could have a look at image sharing ( http://docs.openstack.org/api/openstack-image-service/2.0/content/image-sharing.html ). You build the images, upload them to your jenkins building tenant and then share the images with the appropriate projects.

edit flag offensive delete link more

Comments

I'm hoping to let it be able to see running instances so that it can clean out images that have not been used in a while. I'm generating updated images automatically that are up to date so they launch quickly, but don't want old images piling up. It shouldn't be able to delete instances though.

kfox1111 gravatar imagekfox1111 ( 2014-01-06 11:48:20 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-01-03 17:45:13 -0500

Seen: 116 times

Last updated: Jan 04 '14