Tuesday, September 2, 2014

OpenStack: Restrict instance deletion

In OpenStack, by default users who are members of a  tenant can delete all instances in that tenant, even if it is spinned up by other users. If you want to restrict that, you  need to tweak the nova policy file  ie /etc/nova/policy.json


Add the following lines in the file:

    "admin_or_user":"is_admin:True or user_id:%(user_id)s",
    "compute:delete":"rule:admin_or_user",

Make the same changes in the /etc/openstack-dashboard/nova_policy.json file also

Now restart the openstack-nova-api service

Now user will be able to delete only those instances spinned up by them. Admin users will be able to delete all instances

No comments:

Post a Comment