On 23/05/16 17:02, "Sean Dague" <s...@dague.net> wrote: >On 05/23/2016 10:24 AM, Tim Bell wrote: >> >> >> Quick warning for those who are dependent on the "user_id:%(user_id)s" >> syntax for limiting actions by user. According to >> https://bugs.launchpad.net/nova/+bug/1539351, this behavior was >> apparently not intended according to the bug report feedback. The >> behavior has changed from v2 to v2.1 and the old syntax no longer works. > >Well, the behavior changes with the backend code base. By mitaka the >default backend code for both is the same. And the legacy code base is >about to be removed. > >This feature (policy enforcement by user_id) was 100% untested, which is >why it never ended up in the new API stack. Being untested setting >owner: 'user_id: %(user_id)s' might have some really unexpected results >because not everything has a user_id. >
There are several hints given in the documentation regarding this sort of feature. Examples are such as http://docs.openstack.org/developer/oslo.policy/api.html and http://docs.openstack.org/mitaka/config-reference/policy-json-file.html#examples >> There can be security implications also so I’d recommend those using >> this current v2 feature to review the bug to understand the potential >> impacts as clouds enable v2.1. > >While I understand from the bug report what your use case is now, I'm >kind of wondering what the shared resources / actions of these 150 >people are in this project. Are they all in the same project for other >reasons? The resource pool (i.e. quota) is shared between all of the developers. A smaller team is responsible for maintaining the image set for the project and also providing 2nd line support (such as reboot/problem diagnosis…). I do not know the EMBL-EBI use case or the EGI Federated Cloud scenarios which are also mentioned in the review. Tim > > -Sean > >-- >Sean Dague >http://dague.net > >_______________________________________________ >OpenStack-operators mailing list >OpenStack-operators@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
