Restrict the VM image policy

Restrict the VM image policy

This section instructs you on how to restrict Glance, Nova, and Cinder snapshot policy to only allow Administrators to manage images and snapshots in your OpenStack environment.

To configure Administrator only policy:

  1. In the /etc/nova directory, create and edit the policy.json for Nova as follows:

    {
        "os_compute_api:servers:create_image": "rule:admin_api",
        "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_api",
    }
    
  2. In the openstack/control.yml file, restrict managing operations by setting the role:admin value for the following parameters for Glance and Cinder:

    parameters:
      glance:
        server:
          policy:
            add_image: "role:admin"
            delete_image: "role:admin"
            modify_image: "role:admin"
            publicize_image: "role:admin"
            copy_from: "role:admin"
            upload_image: "role:admin"
            delete_image_location: "role:admin"
            set_image_location: "role:admin"
            deactivate: "role:admin"
            reactivate: "role:admin"
      cinder:
        server:
          policy:
            'volume_extension:volume_actions:upload_image': "role:admin"
    
  3. Apply the following states:

    salt 'ctl*' state.sls glance.server,cinder.controller
    
  4. Verify that the rules have changed in the states output.

  5. If the Comment: State 'keystone_policy.rule_present' was not found in SLS 'glance.server' error occurs, synchronize Salt modules and re-apply the glance.server state:

    salt 'ctl*' saltutil.sync_all
    salt 'ctl*' state.sls glance.server
    
  6. To apply the changes, restart the glance-api service:

    salt 'ctl*' service.restart glance-api