Maybe this is relevant with: https://bugs.launchpad.net/nova/+bug/1539351
? In our Mitaka installation we had to keep using v2.0 API to be able to use user_id in the policy file ... I don't know if there are better solutions ... Cheers, Massimo 2017-01-15 8:44 GMT+01:00 Hamza Achi <h16m...@gmail.com>: > Hello, > > According to this Nova-spec of Newton release [1], user_id:%(user_id)s > syntax should work to constrain some operations to user_id instead of > project_id. Like deleting and rebuilding VMs. > > But it is not working, users within the same project can delete, > rebuild......the VMs of each other. i added these rules in > /etc/nova/policy.json (i used devstack stable/newton branch): > > "admin_required": "role:admin or is_admin:1", > "owner" : "user_id:%(user_id)s", > "admin_or_owner": "rule:admin_required or rule:owner", > "compute:delete": "rule:admin_or_owner", > "compute:resize": "rule:admin_or_owner", > "compute:rebuild": "rule:admin_or_owner", > "compute:reboot": "rule:admin_or_owner", > "compute:start": "rule:admin_or_owner", > "compute:stop": "rule:admin_or_owner" > > > Can you please point out what i am missing ? > > Thank you, > Hamza > > > [1] https://specs.openstack.org/openstack/nova-specs/specs/ > newton/implemented/user-id-based-policy-enforcement.html > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
