os-server-groups policy rules are wrong
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Before policy was moved into code in Newton, the os-server-groups API actions had only two policy rules:
"os_compute_
"os_compute_
With this change in Ocata:
https:/
The actual actions now have granular policy checks (create/
The problem is the effective policy check on those went from
"os_compute_
"os_compute_
"os_compute_
"os_compute_
"os_compute_
And "rule:os_
I know the admin_or_only rule is defined here:
#"admin_or_owner": "is_admin:True or project_
But there is no rule defined for "os_compute_
Changed in nova: | |
status: | New → Triaged |
status: | Triaged → Invalid |
I get it now. Looking at:
https:/ /docs.openstack .org/nova/ latest/ configuration/ sample- policy. html
#"os_compute_ api:os- server- groups: create" : "rule:os_ compute_ api:os- server- groups"
points at:
#"os_compute_ api:os- server- groups" : "rule:admin_ or_owner"
which points at:
#"admin_or_owner": "is_admin:True or project_ id:%(project_ id)s"
etc