[rhos-list] Control Access to instance termination
Eoghan Glynn
eglynn at redhat.com
Tue Mar 26 14:50:56 UTC 2013
> Hi,
>
> Thanks for the help.
> This seems to solve one part of my problem of changing the state of
> the instance.
> A user cannot delete the other users' instance.
Great.
> However the listing problem still continues to exist. I checked the
> logs and found that get_all access control is possible by using the
> policy.json. But get_all function itself uses the filter of
> 'project_id' from the context. So other part seems to be difficult.
I'm sure I see the problem here, as nova.compute.api.API.get_all
bases its policy enforcement check on a target that includes both
the project_id *and* user_id:
https://github.com/openstack/nova/blob/stable/folsom/nova/compute/api.py#L1116
So it seems to me that a rule based on user_id would be applicable
in this case also. Again I've just done a quick test against master,
please let me know if the behavior you're seeing with your version
of RHOS is different.
Cheers,
Eoghan
> Regards,
> Vaibhav
>
> ---------- Original message ----------
>
>
> From:"Eoghan Glynn"< eglynn at redhat.com >
> Date: 25 Mar 13 22:08:26
> Subject: Re: [rhos-list] Control Access to instance termination
> To: Kumar Vaibhav <vaibhav.k.agarwal at in.com>
> Cc: rhos-list <rhos-list at redhat.com>
>
>
>
> > or using the older syntax:
> >
> > [["role:admin"], ["role:project_admin",
> > "project_id:%(project_id)s"]], ["user_id:%(user_id)s"]]
>
> Typo:
>
> [["role:admin"], ["role :project_admin",
> "project_id:%(project_id)s"], ["user_id:%(user_id)s"]]
>
>
>
>
> Get Yourself a cool, short @in.com Email ID now!
More information about the rhos-list
mailing list