[rhos-list] Control Access to instance termination
Eoghan Glynn
eglynn at redhat.com
Tue Mar 26 14:51:42 UTC 2013
> > Hi,
> >
> > Thanks for the help.
> > This seems to solve one part of my problem of changing the state of
> > the instance.
> > A user cannot delete the other users' instance.
>
> Great.
>
> > However the listing problem still continues to exist. I checked the
> > logs and found that get_all access control is possible by using the
> > policy.json. But get_all function itself uses the filter of
> > 'project_id' from the context. So other part seems to be difficult.
>
> I'm sure I see the problem here, as nova.compute.api.API.get_all
s/I'm sure/I'm not sure/
> bases its policy enforcement check on a target that includes both
> the project_id *and* user_id:
>
> https://github.com/openstack/nova/blob/stable/folsom/nova/compute/api.py#L1116
>
> So it seems to me that a rule based on user_id would be applicable
> in this case also. Again I've just done a quick test against master,
> please let me know if the behavior you're seeing with your version
> of RHOS is different.
>
> Cheers,
> Eoghan
>
>
> > Regards,
> > Vaibhav
> >
> > ---------- Original message ----------
> >
> >
> > From:"Eoghan Glynn"< eglynn at redhat.com >
> > Date: 25 Mar 13 22:08:26
> > Subject: Re: [rhos-list] Control Access to instance termination
> > To: Kumar Vaibhav <vaibhav.k.agarwal at in.com>
> > Cc: rhos-list <rhos-list at redhat.com>
> >
> >
> >
> > > or using the older syntax:
> > >
> > > [["role:admin"], ["role:project_admin",
> > > "project_id:%(project_id)s"]], ["user_id:%(user_id)s"]]
> >
> > Typo:
> >
> > [["role:admin"], ["role :project_admin",
> > "project_id:%(project_id)s"], ["user_id:%(user_id)s"]]
> >
> >
> >
> >
> > Get Yourself a cool, short @in.com Email ID now!
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
>
More information about the rhos-list
mailing list