The Policy file is not a filtering agent. It basically just provides ACL type of abilities.
"Can you do this action? True/False" "Do you have the right permissions to call this action? True/False" If you wanted to pull back just the instances that the user owns, then you would actually have to write some code that would call that particular filtering action. On Tue, May 5, 2015 at 11:01 AM, Salman Toor <[email protected]> wrote: > Hi, > > > I am trying to setup the policies for nova. Can you please have a look > if thats correct? > > > nova/policy.json > ———————————————————————————————— > "context_is_admin": "role:admin", > "admin_or_owner": "is_admin:True or project_id:%(project_id)s", > "owner": "user_id:%(user_id)s", > "admin_or_user": "is_admin:True or user_id:%(user_id)s", > "default": "rule:admin_or_owner”, > > "compute:get_all": “rule:admin_or_user", > ———————————————————————————————— > > I want users to only see there own instances, not the instances of all > the users in the same tenant. > > I have restarted the nova-api service on controller, but no effect. I > have noticed that if I put “rule:context_is_admin” in “compute:get_all" > than except “admin" no one can see anything so system is reading the file > correctly. > > Important: > > 1 - I haven’t changed the /etc/openstack-dashboard/nova_policy.json > > 2 - I have only used the command line client tool to confirm the > behaviour. > > I am running Juno release. > > Please point to some document that discuss all the policy parameters. > > Thanks in advance. > > /Salman > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
