[nova] [ops] user_id based policy enforcement
---- On Wed, 03 Jun 2020 11:17:41 -0500 Massimo Sgaravatto <massimo.sgaravatto at gmail.com> wrote ----
> Thank you !
> The "destructive actions" I guess are the ones listed here:
> In this page there is also the link to the ML thread you were talking about
> So the user_id based policy enforcement for those destructive actions is supposed to work till Train ? Did I get it right ?
Yes, that is the exact list we kept the user_id restriction support for backword compatilbity. They will keep running till Ussuri for sure.
Please ntoe, we might cleanup those in Victoria cycle in favor of new defaults.
> Thanks, Massimo
> On Wed, Jun 3, 2020 at 3:53 PM Ghanshyam Mann <gmann at ghanshyammann.com> wrote:
> ---- On Wed, 03 Jun 2020 01:18:41 -0500 Massimo Sgaravatto <massimo.sgaravatto at gmail.com> wrote ----
> > Hi
> > In my Rocky installation I am preventing users from deleting instances created by other users of the same project.This was implemented setting in the nova policy file:
> > "os_compute_api:servers:delete": "rule:admin_api or user_id:%(user_id)s"
> > This works, even if in the nova log file I see:
> > The user_id attribute isn't supported in the rule 'os_compute_api:servers:delete'. All the user_id based policy enforcement will be removed in the future.
> > Now I would also like preventing user to see the console log file of instances created by other users. I set in the nova policy file:
> > "os_compute_api:os-console-output" : "rule:admin_api or user_id:%(user_id)s"
> Nova does not restrict the policy by user_id except keypairs API or a few of the destructive actions( which I think we supported for backwards compatiblity and
> intent to remove it later that is why you can see the warning). I remember we discussed this in 2016 but I could not find the ML thread for that but
> the consensus that time was we do not intend to support user_id based restriction permission in the API.
> On the same note, ussuri onwards you can enforce some user-level restriction based on the role, but not by user_id. In the Ussuri cycle, we have implemented
> the keystone new defaults roles in nova policy. You can assign read and write roles for users and achieve the user's isolation within same project.
> Please refer this doc to know more details on those new policies
> - https://docs.openstack.org/nova/latest/configuration/policy-concepts.html
> > but this doesn't work
> > Any hints ?
> > More in general: were the user_id based policy eventually removed in latest OpenStack releases ?Which are then the possible alternatives to implement my use case ?
> > Thanks, Massimo