Ask Your Question

Anfelmurillo's profile - activity

2019-08-23 16:36:56 -0500 received badge  Notable Question (source)
2019-05-11 20:26:20 -0500 received badge  Popular Question (source)
2019-05-08 19:22:49 -0500 commented question Help with neutron policy.json

Thank you very much, I'll take a look at RBAC. I also found about openstack Parole, this service seems to better suit my needs, am I correct?

2019-05-06 19:26:56 -0500 commented question Help with neutron policy.json

I have checked that the user has correct credentials, because when I remove the condition after the "and" on the policy file, the operation succeeds

2019-05-06 19:26:56 -0500 commented question Help with neutron policy.json

The command I try to run is:

openstack network set --name perm_cambiado 27a23597-c5ad-41a6-9430-d148b379713e

If i understood, this should be valid because network_id=27a23... However, I get

HttpException: 403: Client Error for url: http://157.253.199.73:9696/v2.0/networks/27a23597-c5ad-4
2019-05-06 16:52:29 -0500 commented question Help with neutron policy.json

I tried changing the rule by removing the % and () operators, like this:

#"update_network": "rule:admin_or_owner and network_id:'27a23597-c5ad-41a6-9430-d148b379713e' ",

but still it didn't work, I also tried removing the (' '), changing "network_id" by "id" and using ’ ’ Is there an example?

2019-05-02 19:53:20 -0500 commented question Help with neutron policy.json

Yes, RBAC would suit perfectly my case. I just found that the oslo.policy is the Openstack service mediating between the API/REST requests and the permissions. Reading its documentation I my rule shouldn't use the "%" operator as it seems to only be used for user attributes. Am I correct?

2019-05-02 17:22:19 -0500 asked a question Help with neutron policy.json

I am trying to see what kind of access control policies I can express with Nova and Neutron policy.json.

Currently, I am able to limit certain operations to an user/role. For example, I can limit who can perform the operation "update_network". Nevertheless, I'd like to express policies that enable a role to only perform "update_network" on a specific subset of networks, is this possible? I was trying something like this:

"update_network": "rule:admin_or_owner and network_id:%(27a23597-c5ad-41a6-9430-d148b379713e)s",

Having the currently list of networks:

+--------------------------------------+------------------+----------------------------------------------------------------------------+
| ID                                   | Name             | Subnets                                                                    |
+--------------------------------------+------------------+----------------------------------------------------------------------------+
| 27a23597-c5ad-41a6-9430-d148b379713e | permisos_network | 8caeb208-3310-46c1-8a47-646e98602541                                       |
| 917ffeed-1cff-4a6e-8630-81ceaad44f7c | no_permisos      |                                                                            |
| bcef732a-1fab-4ed9-9291-b21aa80feaf3 | public           | 6f1d191c-a832-498c-9cf1-2bcc0de803c7, 8b5c712b-31ff-40ef-8da0-250f53d02a40 |
+--------------------------------------+------------------+----------------------------------------------------------------------------+

If expressing such policies is not possible, is there another Openstack service that enables me to express such policies? I have already read the Congress documentation, but it seems to be more of the type "current network is in accordance with desired policy" and not "let's see if this API call is authorized"

Also, according to this question: https://ask.openstack.org/en/question/118600/what-are-the-defaults-roles-in-openstack-and-how-to-understand-what-a-role-can-do/ (https://ask.openstack.org/en/question...)

Nova has now a hard coded policy, is it possible to override it?

Thank you very much