Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Whats the supported way to define custom permissions or policy for tenant users?

Reference: https://docs.openstack.org/kilo/config-reference/content/policy-json-file.html

While recipes for editing policy.json files are found on blogs, modifying the policy can have unexpected side effects and is not encouraged.

I'm looking for documentation or instructions on how to properly set roles or permissions or policy for a group or users within their tenant. I have come across that the policy.json is where it's done but then I came across the above quoted text. My goal is to control the users ability to mass-create images and instances with huge sizing. I had thought I'd give them the ability to list images/instances/etc but not create or update certain things.

The best way I can think of based on the information i've found is to give the user "member" role (which is basically admin of the tenant / project) and make sure that the quotas for the project is correctly sized. Is this the best way to achieve what I am after? This doesn't seem correct to me because looking at current quota usage, there is 86 vCPU showing used and when I count the vcpu's on the current instances it only comes to 22. So if the above way is correct way where can I find thorough info on understanding quotas? Why would vCPUs show as an incremental value instead of a total value? The main documentation link isnt working at the moment https://docs.openstack.org/pike/admin/