[rhos-list] Control Access to instance termination

Kumar Vaibhav vaibhav.k.agarwal at in.com
Mon Mar 25 14:37:31 UTC 2013


Hi,Where I can get a complete list of policy.json options?I also noticed the policy.json file but couldn't find a documentation for it.I also wanted to restrict the viewership of the servers to the owneruser, projectadmin and admin only.So he can access/change the other users' instances.Regards,Vaibhav Original message From:"Eoghan Glynn"< eglynn at redhat.com >Date: 25 Mar 13 18:21:48Subject: Re: [rhoslist] Control Access to instance terminationTo: Kumar Vaibhav Cc: rhoslist > Hi,> > I want to restrict the user to see other user's instances.> > Default behaviour is that a user can see all the servers in his> tenantid.> > He can suspend, delete, pause etc to the instances created by the> other users.> > Can this be restricted? I want the full previlige to the owner(user> who created the instance) of the instance. And no privilige to the> other users (except admin) on other users' instances.> > I don't want to create a tenant for each user to solve this problem.> > Regards,> Vaib
 havThis is a requirement that would ideally be handled via the rulesbasedaccess control (RBAC) logic.Currently in nova, a rule such as:"adminorowner":"isadmin:True or projectid:%(projectid)s"can be used to specify that an action is restricted to the adminrole or the tenant owning the resource.What you would need I believe is a rule like:"adminoruser": "isadmin:True or userid:%(userid)s",then restrict the instance delete etc. actions via:"compute:delete": "rule:adminoruser",# ... etc.All changes applied to /etc/nova/policy.json followed by:# service openstacknovaapi restartI've tested briefly against master upstream, but I'd be interestedhearing your experience with the RHOS version you've got deployed.Cheers,EoghanGet Yourself a cool, short @in.com Email ID now!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhos-list/attachments/20130325/d9b7fd8a/attachment.htm>


More information about the rhos-list mailing list