IIRC glance uses owner instead of project_id as the field in various places representing the tenant that owns the object. Perhaps you might try “project_id:%(owner)s”
Vish On May 2, 2014, at 7:21 AM, Michael Hearn <mrhe...@gmail.com> wrote: > Having played with the policies and rules within glance's policy.json file I > have not had any success using the rule, "project_id:%(project_id)" to > restrict api usage. > Without changing user/role/tenant I have had success using > project_id:%(project_id)" with cinder. > I cannot find anything to suggest glance's policy engine cannot parse the > rule but would like confirmation. > Can anyone verify this?. > > This is using icehouse, glance 0.12.0 > > ~Mike > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
