policy.json

Ghanshyam Mann Thu, 06 Sep 2018 19:31:14 -0700

 ---- On Thu, 06 Sep 2018 23:53:10 +0900 Ignazio Cassano 
<ignaziocass...@gmail.com> wrote ---- 
 > Thanks but I made a mistake because I forgot to change  user variables 
 > before deleting the instance.User belonging to user role cannot delete 
 > instances of other projects.Sorry for my mistakeRegardsIgnazio


On Policy side, Nova has policy in code now. And for showing the all projects 
servers, nova has policy rule [1] for that which control the --all-projects 
parameter. By Default it is 'admin' only so demo user cannot see the other 
instance until this rule is modified in your policy.json  

[1]
os_compute_api:servers:index:get_all_tenants
os_compute_api:servers:detail:get_all_tenants
https://docs.openstack.org/nova/latest/configuration/policy.html 

-gmann

 > 
 > Il giorno gio 6 set 2018 alle ore 16:41 iain MacDonnell 
 > <iain.macdonn...@oracle.com> ha scritto:
 > 
 >  
 >  On 09/06/2018 06:31 AM, Ignazio Cassano wrote:
 >  > I installed openstack ocata on centos and I saw /etc/nova/policy.json 
 >  > coontains the following:
 >  > {
 >  > }
 >  > 
 >  > I created an instance in a a project "admin" with user admin that 
 >  > belogns to admin project
 >  > 
 >  > I created a demo project with a user demo with "user" role.
 >  > 
 >  > Using command lines (openstack server list --all-projects) the user demo 
 >  > can list the admin instances and can also delete one of them.
 >  > 
 >  > I think this is a bug and a nova policy.json must be created with some 
 >  > rules for avoiding the above.
 >  
 >  See 
 >  
 > https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html
 >  
 >  You have something else going on ...
 >  
 >       ~iain
 >  
 >  
 >  
 >  
 >  _______________________________________________
 >  OpenStack-operators mailing list
 >  OpenStack-operators@lists.openstack.org
 >  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
 >   _______________________________________________
 > OpenStack-operators mailing list
 > OpenStack-operators@lists.openstack.org
 > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
 > 



_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] ocata nova /etc/nova/policy.json

Reply via email to