[rhos-list] Control Access to instance termination
eglynn at redhat.com
Mon Mar 25 16:01:42 UTC 2013
> Where I can get a complete list of policy.json options?
Good question, I can't find a complete list in the upstream docco.
"If we wished to restrict all Compute service requests to require
this role, the resulting file would look like:" ...
implies a full list, but the file quoted does not include every
fine-grained policy (perhaps relying on the default policy to
fill in the gaps).
But looking directly at the source, here's a list of policies
associated with the compute API:
> I also noticed the policy.json file but couldn't find a documentation
> for it.
> I also wanted to restrict the viewership of the servers to the
> owner_user, project_admin and admin only.
> So he can access/change the other users' instances.
"He" in this context being the admin role?
Presumably also project_admin is a custom role you've created yourself?
IIUC the rule you'd need would go something like:
role:admin or (role:project_admin and project_id:%(project_id)s) or user_id:%(user_id)s
or using the older syntax:
[["role:admin"], ["role:project_admin", "project_id:%(project_id)s"]], ["user_id:%(user_id)s"]]
> ---------- Original message ----------
> From:"Eoghan Glynn"< eglynn at redhat.com >
> Date: 25 Mar 13 18:21:48
> Subject: Re: [rhos-list] Control Access to instance termination
> To: Kumar Vaibhav <vaibhav.k.agarwal at in.com>
> Cc: rhos-list <rhos-list at redhat.com>
> > Hi,
> > I want to restrict the user to see other user's instances.
> > Default behaviour is that a user can see all the servers in his
> > tenant-id.
> > He can suspend, delete, pause etc to the instances created by the
> > other users.
> > Can this be restrict ed? I want the full previlige to the
> > owner(user
> > who created the instance) of the instance. And no privilige to the
> > other users (except admin) on other users' instances.
> > I don't want to create a tenant for each user to solve this
> > problem.
> > Regards,
> > Vaibhav
> This is a requirement that would ideally be handled via the
> access control (RBAC) logic.
> Currently in nova, a rule such as:
> "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
> can be used to specify that an action is restricted to the admin
> role or the tenant owning the resource.
> What you would need I believe is a rule like:
> "admin_or_user": "is_admin:True or user_id:%(user_id)s",
> then restrict the instance delete etc. actions via:
> "compute:delete": "rule:admin_or_user",
> # ... etc.
> All changes applied to /etc/nova/policy.json followed by:
> # serv ice openstack-nova-api restart
> I've tested briefly against master upstream, but I'd be interested
> hearing your experience with the RHOS version you've got deployed.
> Get Yourself a cool, short @in.com Email ID now!
More information about the rhos-list