| Thread Previous • Date Previous • Date Next • Thread Next |
On 02/17/2012 06:31 AM, Leander Bessa wrote:
Hello, I was wondering if it would be possible to create custom roles in keystone. For instance, i would like to create a role which would allow a project owner to create/remove flavors without the intervention of an admin account.
I *think* this should be possible with the new policy support that was recently added.
Check out the /etc/nova/policy.json file. You should be able to edit that file to customize access to specific resource actions for a new role... (hint: look for compute_extension:flavormanage)
That said, policy.json is pretty undocumented, and when I wrote the doc for Glance's similar policy.json support (http://glance.openstack.org/policies.html) I knew I was missing a lot of context. Hopefully Brian Waldon (cc'd) can provide some more help to you.
Sidenote, though... if you allow a custom role to create a new flavor, would you allow anyone to launch an instance with that flavor?
-jay
| Thread Previous • Date Previous • Date Next • Thread Next |
