Home > openstack > Policy administration for openstack nova

Policy administration for openstack nova

The default installation of openstack devstack comes with ‘/etc/nova/policy.json’ which is the policy administration point for openstack nova. Following is an excerpt from this file


"compute_extension:admin_actions:pause": "rule:admin_or_owner"

So, what it means if you want to pause (probably, pausing a vm), you have to be the owner or the admin. If we want to remove this checking, we may simply, erase the rule, making everyone able to pause the vm by


"compute_extension:admin_actions:pause": ""

Now, if you want to modify the policy such that, admin or owner or someone with role: trainer can do that very action, change it as follows:


"compute_extension:admin_actions:pause": "rule:admin_or_owner or role:trainer"

Now, If you want to insert a new policy, add a new line with the policy name. For example, I have added a policy for nova by adding this line where the policy name is “compute:detailall”:

"compute:detailall":"role:admin or role:tadmin".

Worth to note that, this policy is only enforced in places where in the code I have used and enforced this policy. For example,
I have added this line in place where I wanted to enforce this policy.

ctxt = req.environ['nova.context']
policy.enforce(ctxt,'compute:detailall',{'getall':None})

Anyway, there are whole lot of other issues about policy administration which we may visit later.

Advertisements
Categories: openstack Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: