On 07/02/2015 03:10 AM, masoom alam wrote:
Hi every one,
The glance policy.json allows specific users/roles to download an
image. If we apply a policy on a specific role, only that role can
download and/or boot an image.
What if we want to restrict downloading an image, but at the same time
allowing the user to boot it via nova boot. The catch is that we will
have to restrict the user from taking the snapshot right? Can glance
can differentiate between user downloading an image and nova doing the
same on the behalf of a user.
No, as it is done with a token. The token is passed to nova, and nova
passes it to glance to perform the action.
If snapshot is a different API call than download, then you apply a
different role for each, and make sure that tokens passed ot Nova do not
have the "snapshot" role in it.
It is issues like this that are making me try to drive the Dynamic
Policy effort in Keystone.
My initial write up is here:
https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
And the wiki is here:
https://wiki.openstack.org/wiki/DynamicPolicies
I'd love to have your input on the process.
OR how to solve the puzzle, please guide.
Thanks
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
