Home > openstack > Adding & Enforcing policy in Openstack Nova Code.

Adding & Enforcing policy in Openstack Nova Code.

I have added a action method named ‘detailall’ in /opt/stack/nova/nova/api/openstack/compute/servers.py and I want to add a policy (“compute:detailall”) for this method so that only users in role ‘admin’ and ‘tadmin’ can invoke this ‘detailall’ method. Here are the steps needs to be done for adding and enforcing this policy changes in nova code.

step 1 (adding the policy in policy file):
add following line in /etc/nova/policy.json file.

"compute:detailall":"role:admin or role:tadmin",

Step 2 ( adding policy in the ‘detailall’ method):
call the following enforcement code in ‘detailall’ method


How it works:
There is a built-in policy enforcement engine that reads the /etc/nova/policy.json file and enforces the policy accordingly. If you are interested about knowing details you have have a look at following files where the implementation details are.


and thats it. Now, the ‘detailall’ method can be invoked by users having role – admin or tadmin.
For example nova –os-username user_with_tadmin_role listall works but nova–os-username user-without-admin_or_tadmin_role listall does not work provided that listall is a custom nova command that invoke ‘detailall’ method in /opt/stack/nova/nova/api/openstack/compute/servers.py file.

Categories: openstack Tags: , ,
  1. dum
    July 19, 2015 at 10:18 pm

    Simple and neat explanation.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: