Perhaps you can achieve this by editing policy.json (located by default in /etc/neutron).
For instance you can allow only admin users to add security group rules to any security group by specifying the following: "create_security_group_rule": "admin_only" Similar rules for update and deletion of security group rules will prevent you from modifying existing rules. This same set of rules will anyway allow admin users to add rules to the default security group. Salvatore On 15 May 2015 at 09:31, Giuseppa Muscianisi <g.muscian...@cineca.it> wrote: > Dear all, > > in our openstack cluster, we would restrict the actions that users can do > with security group and security group rules. > > Here's what we'd like to achieve: 1. Lock down security group (and rules) > so that only admin (or tenant admin?) can modify them. 2. Add additional > rules to the default security group. > > Can you please give me some advices on how to achieve these goals? > > Thanks in advance, Giusy > > -- > --------------------------------------------------------------- > " Considerate la vostra semenza: > fatti non foste a viver come bruti, > ma per seguir virtute e canoscenza " > > Dante Alighieri > Divina Commedia - Inferno - Canto XXVI > --------------------------------------------------------------- > > Giuseppa Muscianisi, Ph.D. > CINECA - SuperComputing, Applications and Innovation Department > Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO) - Italy > Phone: +39 051 6171 775www.cineca.it > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
