Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenStack>
  3. Operators
ocata nova /etc/nova/policy.json
ignaziocassano at gmail
Sep 6, 2018, 6:31 AM
Post #1 of 4 (478 views)
Permalink
Hi everyone,
I installed openstack ocata on centos and I saw /etc/nova/policy.json
coontains the following:
{
}

I created an instance in a a project "admin" with user admin that belogns
to admin project

I created a demo project with a user demo with "user" role.

Using command lines (openstack server list --all-projects) the user demo
can list the admin instances and can also delete one of them.

I think this is a bug and a nova policy.json must be created with some
rules for avoiding the above.

Regards
Ignazio
Re: ocata nova /etc/nova/policy.json [ In reply to ]
iain.macdonnell at oracle
Sep 6, 2018, 7:41 AM
Post #2 of 4 (478 views)
Permalink
On 09/06/2018 06:31 AM, Ignazio Cassano wrote:
> I installed openstack ocata on centos and I saw /etc/nova/policy.json
> coontains the following:
> {
> }
>
> I created an instance in a a project "admin" with user admin that
> belogns to admin project
>
> I created a demo project with a user demo with "user" role.
>
> Using command lines (openstack server list --all-projects) the user demo
> can list the admin instances and can also delete one of them.
>
> I think this is a bug and a nova policy.json must be created with some
> rules for avoiding the above.

See
https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html

You have something else going on ...

~iain




_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: ocata nova /etc/nova/policy.json [ In reply to ]
ignaziocassano at gmail
Sep 6, 2018, 7:53 AM
Post #3 of 4 (478 views)
Permalink
Thanks but I made a mistake because I forgot to change user variables
before deleting the instance.
User belonging to user role cannot delete instances of other projects.
Sorry for my mistake
Regards
Ignazio

Il giorno gio 6 set 2018 alle ore 16:41 iain MacDonnell <
iain.macdonnell@oracle.com> ha scritto:

>
>
> On 09/06/2018 06:31 AM, Ignazio Cassano wrote:
> > I installed openstack ocata on centos and I saw /etc/nova/policy.json
> > coontains the following:
> > {
> > }
> >
> > I created an instance in a a project "admin" with user admin that
> > belogns to admin project
> >
> > I created a demo project with a user demo with "user" role.
> >
> > Using command lines (openstack server list --all-projects) the user demo
> > can list the admin instances and can also delete one of them.
> >
> > I think this is a bug and a nova policy.json must be created with some
> > rules for avoiding the above.
>
> See
>
> https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html
>
> You have something else going on ...
>
> ~iain
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
Re: ocata nova /etc/nova/policy.json [ In reply to ]
gmann at ghanshyammann
Sep 6, 2018, 7:28 PM
Post #4 of 4 (477 views)
Permalink
---- On Thu, 06 Sep 2018 23:53:10 +0900 Ignazio Cassano <ignaziocassano@gmail.com> wrote ----
> Thanks but I made a mistake because I forgot to change user variables before deleting the instance.User belonging to user role cannot delete instances of other projects.Sorry for my mistakeRegardsIgnazio

On Policy side, Nova has policy in code now. And for showing the all projects servers, nova has policy rule [1] for that which control the --all-projects parameter. By Default it is 'admin' only so demo user cannot see the other instance until this rule is modified in your policy.json

[1]
os_compute_api:servers:index:get_all_tenants
os_compute_api:servers:detail:get_all_tenants
https://docs.openstack.org/nova/latest/configuration/policy.html

-gmann

>
> Il giorno gio 6 set 2018 alle ore 16:41 iain MacDonnell <iain.macdonnell@oracle.com> ha scritto:
>
>
> On 09/06/2018 06:31 AM, Ignazio Cassano wrote:
> > I installed openstack ocata on centos and I saw /etc/nova/policy.json
> > coontains the following:
> > {
> > }
> >
> > I created an instance in a a project "admin" with user admin that
> > belogns to admin project
> >
> > I created a demo project with a user demo with "user" role.
> >
> > Using command lines (openstack server list --all-projects) the user demo
> > can list the admin instances and can also delete one of them.
> >
> > I think this is a bug and a nova policy.json must be created with some
> > rules for avoiding the above.
>
> See
> https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/policy-in-code.html
>
> You have something else going on ...
>
> ~iain
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>



_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal