Home > openstack > Change policy to add permission to an existing nova command

Change policy to add permission to an existing nova command

In default devstack installation, if you want to issue the command nova –os-username demo usage-list it shows an error like ERROR: Policy doesn’t allow compute_extension:simple_tenant_usage:list to be performed. (HTTP 403). My task for this note is to change nova policy (/etc/nova/policy.json) so that the user named demo can get the result from nova usage-list command.

The steps to solve the problem are:

Create a Role (using keystone command):
keystone --os-username admin role-create --name tadmin

Assign Permission to the corresponding Role (update /etc/nova/policy.json file)
Change this line from
"compute_extension:simple_tenant_usage:list": "rule:admin_api" to
"compute_extension:simple_tenant_usage:list": "rule:admin_api or role:tadmin"

Assign user (ex. demo) to the newly created tadmin role using keystone command:
keystone --os-username admin user-role-add --role bd5c448108f34576b87a58f75bbd6c35 --user_id 5c0ed08c27e94594ba2110462c29d085 --tenant 165a7eb440e8458d93c468d937334f63

Here to get the role id issue command ” keystone –os-username admin role-list”, to get id of the demo user issue the command “keystone –os-username admin user-list” and issue “keystone –os-username admin tenant-list” to get the tenant id. In my case, the username was demo and tenant name is also “demo”.

Advertisements
Categories: openstack Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: