Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Changing Nova policy.json in devstack Rocky

Hi So for Nova, policy.json is in code (since Newton) and no policy.json file exists in /etc/nova To obtain the default policy file I made

oslopolicy-sample-generator  --namespace nova --output-file nova-policy.json

I then proceeded to make a few small edits to tweak rights (change some 'admin_or_owner' to just admin). I then copied this file into /etc/nova/policy.json and it seemed my test case (stop a VM for a User with a non-admin role was refused) worked.
BUT, documentation seems to suggest edits to policy.json are updated to Nova immediately , I seeemed to find that subsequent edits to policy.json were not being taken into account by Nova (is this file really consulted all the time or there's some process checking for modifications to it, or there's a polling interval for changes ?)

Secondly, as I understand it owner rights (as defined in nova's policy.json) seems quite wide ranging, any User allowed access to a Project (with any Role) seems to have Owner rights (true?). Seems to be defined by this line:

"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

(and there's a lot of actions allowed for admin_or_owner)

Finally, trying to create a user Role which is Read Only for the Project (i.e they can't modify anything) , this seems to be the Reader role , and trying this out some things seeemed to be readonly (ShutOff and HardReboot not allowed), but Pause/Suspend was allowed which is maybe surprising for the Reader role. Not sure how nova's policy.json treats the Reader role as the file I generated has no Reader role in the config.