So it means I can allow and stop the user(s) to do certain action but not more than that which make sense.
Thanks for your response. Regards. Salman. On 06 May 2015, at 17:12, Joseph Bajin <josephba...@gmail.com<mailto:josephba...@gmail.com>> wrote: The Policy file is not a filtering agent. It basically just provides ACL type of abilities. "Can you do this action? True/False" "Do you have the right permissions to call this action? True/False" If you wanted to pull back just the instances that the user owns, then you would actually have to write some code that would call that particular filtering action. On Tue, May 5, 2015 at 11:01 AM, Salman Toor <salman.t...@it.uu.se<mailto:salman.t...@it.uu.se>> wrote: Hi, I am trying to setup the policies for nova. Can you please have a look if thats correct? nova/policy.json ———————————————————————————————— "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "owner": "user_id:%(user_id)s", "admin_or_user": "is_admin:True or user_id:%(user_id)s", "default": "rule:admin_or_owner”, "compute:get_all": “rule:admin_or_user", ———————————————————————————————— I want users to only see there own instances, not the instances of all the users in the same tenant. I have restarted the nova-api service on controller, but no effect. I have noticed that if I put “rule:context_is_admin” in “compute:get_all" than except “admin" no one can see anything so system is reading the file correctly. Important: 1 - I haven’t changed the /etc/openstack-dashboard/nova_policy.json 2 - I have only used the command line client tool to confirm the behaviour. I am running Juno release. Please point to some document that discuss all the policy parameters. Thanks in advance. /Salman _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org<mailto:OpenStack-operators@lists.openstack.org> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
