[rhos-list] Control Access to instance termination

Eoghan Glynn eglynn at redhat.com
Mon Mar 25 16:01:42 UTC 2013 


> Hi,
> 
> Where I can get a complete list of policy.json options?

Good question, I can't find a complete list in the upstream docco.

This section

  "If we wished to restrict all Compute service requests to require
  this role, the resulting file would look like:" ...

http://docs.openstack.org/trunk/openstack-compute/install/yum/content/keystone-concepts.html

implies a full list, but the file quoted does not include every
fine-grained policy (perhaps relying on the default policy to
fill in the gaps).

But looking directly at the source, here's a list of policies
associated with the compute API:

 compute:create
 compute:create:forced_host
 compute:create:attach_network
 compute:create:attach_volume
 compute:get
 compute:get_all
 compute:get_all_tenants
 compute:detach_volume
 compute:get_instance_faults
 compute:update
 compute:soft_delete
 compute:delete
 compute:restore
 compute:force_delete
 compute:start
 compute:backup
 compute:snapshot
 compute:rebuild
 compute:revert_resize
 compute:confirm_resize
 compute:resize
 compute:add_fixed_ip
 compute:remove_fixed_ip
 compute:pause
 compute:unpause
 compute:get_diagnostics
 compute:suspend
 compute:resume
 compute:rescue
 compute:unrescue
 compute:set_admin_password
 compute:inject_file
 compute:get_vnc_console
 compute:get_spice_console
 compute:get_console_output
 compute:lock
 compute:unlock
 compute:get_lock
 compute:reset_network
 compute:inject_network_info
 compute:attach_interface
 compute:detach_interface
 compute:get_instance_metadata
 compute:delete_instance_metadata
 compute:update_instance_metadata
 compute:security_groups:add_to_instance
 compute:security_groups:remove_from_instance
 
> I also noticed the policy.json file but couldn't find a documentation
> for it.
> 
> I also wanted to restrict the viewership of the servers to the
> owner_user, project_admin and admin only.
> So he can access/change the other users' instances.

"He" in this context being the admin role?

Presumably also project_admin is a custom role you've created yourself?

IIUC the rule you'd need would go something like:

  role:admin or (role:project_admin and project_id:%(project_id)s) or user_id:%(user_id)s

or using the older syntax:

  [["role:admin"], ["role:project_admin", "project_id:%(project_id)s"]], ["user_id:%(user_id)s"]]

Cheers,
Eoghan

> 
> Regards,
> Vaibhav
> 
> 
> 
> ---------- Original message ----------
> From:"Eoghan Glynn"< eglynn at redhat.com >
> Date: 25 Mar 13 18:21:48
> Subject: Re: [rhos-list] Control Access to instance termination
> To: Kumar Vaibhav <vaibhav.k.agarwal at in.com>
> Cc: rhos-list <rhos-list at redhat.com>
> 
> 
> 
> > Hi,
> > 
> > I want to restrict the user to see other user's instances.
> > 
> > Default behaviour is that a user can see all the servers in his
> > tenant-id.
> > 
> > He can suspend, delete, pause etc to the instances created by the
> > other users.
> > 
> > Can this be restrict ed? I want the full previlige to the
> > owner(user
> > who created the instance) of the instance. And no privilige to the
> > other users (except admin) on other users' instances.
> > 
> > I don't want to create a tenant for each user to solve this
> > problem.
> > 
> > Regards,
> > Vaibhav
> 
> 
> This is a requirement that would ideally be handled via the
> rules-based
> access control (RBAC) logic.
> 
> Currently in nova, a rule such as:
> 
> "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
> 
> can be used to specify that an action is restricted to the admin
> role or the tenant owning the resource.
> 
> What you would need I believe is a rule like:
> 
> "admin_or_user": "is_admin:True or user_id:%(user_id)s",
> 
> then restrict the instance delete etc. actions via:
> 
> "compute:delete": "rule:admin_or_user",
> # ... etc.
> 
> All changes applied to /etc/nova/policy.json followed by:
> 
> # serv ice openstack-nova-api restart
> 
> I've tested briefly against master upstream, but I'd be interested
> hearing your experience with the RHOS version you've got deployed.
> 
> Cheers,
> Eoghan
> 
> 
> 
> Get Yourself a cool, short @in.com Email ID now!

More information about the rhos-list mailing list