You're right, it's probably the following you would want changed: "compute:get_vnc_console": "", "compute:get_spice_console": "", "compute:get_rdp_console": "", "compute:get_serial_console": "", "compute:get_mks_console": "", "compute:get_console_output": "",
I thought the use case is to limit console access to users in a shared project environment, where you might have multiple users seeing each other instances, and you don't want them to try logging on the console. You could create a special role that has console access and change the policy file to reference that role for the "compute:get_vnc_console", for example. I don't think you can do it on per-flavor basis. Cheers, George On Thu, Oct 27, 2016 at 10:24 AM, Blair Bethwaite <[email protected] > wrote: > Hi George, > > On 27 October 2016 at 16:15, George Mihaiescu <[email protected]> > wrote: > > Did you try playing with Nova's policy file and limit the scope for > > "compute_extension:console_output": "" ? > > No, interesting idea though... I suspect it's actually the > get_*_console policies we'd need to tweak, I think console_output > probably refers to the console log? Anyway, not quite sure how we'd > craft policy that would enable us to disable these on a per instance > basis though - is it possible to reference image metadata in the > context of the policy rule? > > -- > Cheers, > ~Blairo >
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
