This section instructs you on how to restrict Glance, Nova, and Cinder snapshot policy to only allow Administrators to manage images and snapshots in your OpenStack environment.
To configure Administrator only policy:
In the /etc/nova
directory, create and edit the policy.json
for Nova
as follows:
{
"os_compute_api:servers:create_image": "rule:admin_api",
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_api",
}
In the openstack/control.yml
file, restrict managing operations
by setting the role:admin
value for the following parameters for Glance
and Cinder:
parameters:
glance:
server:
policy:
add_image: "role:admin"
delete_image: "role:admin"
modify_image: "role:admin"
publicize_image: "role:admin"
copy_from: "role:admin"
upload_image: "role:admin"
delete_image_location: "role:admin"
set_image_location: "role:admin"
deactivate: "role:admin"
reactivate: "role:admin"
cinder:
server:
policy:
'volume_extension:volume_actions:upload_image': "role:admin"
Apply the following states:
salt 'ctl*' state.sls glance.server,cinder.controller
Verify that the rules have changed in the states output.
If the Comment: State 'keystone_policy.rule_present' was not found
in SLS 'glance.server'
error occurs, synchronize Salt modules and
re-apply the glance.server state:
salt 'ctl*' saltutil.sync_all
salt 'ctl*' state.sls glance.server
To apply the changes, restart the glance-api
service:
salt 'ctl*' service.restart glance-api