This section instructs you on how to restrict Glance, Nova, and Cinder snapshot policy to only allow Administrators to manage images and snapshots in your OpenStack environment.
To configure Administrator only policy:
In the /etc/nova directory, create and edit the policy.json for Nova
as follows:
{
"os_compute_api:servers:create_image": "rule:admin_api",
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_api",
}
In the openstack/control.yml file, restrict managing operations
by setting the role:admin value for the following parameters for Glance
and Cinder:
parameters:
glance:
server:
policy:
add_image: "role:admin"
delete_image: "role:admin"
modify_image: "role:admin"
publicize_image: "role:admin"
copy_from: "role:admin"
upload_image: "role:admin"
delete_image_location: "role:admin"
set_image_location: "role:admin"
deactivate: "role:admin"
reactivate: "role:admin"
cinder:
server:
policy:
'volume_extension:volume_actions:upload_image': "role:admin"
Apply the following states:
salt 'ctl*' state.sls glance.server,cinder.controller
Verify that the rules have changed in the states output.
If the Comment: State 'keystone_policy.rule_present' was not found
in SLS 'glance.server' error occurs, synchronize Salt modules and
re-apply the glance.server state:
salt 'ctl*' saltutil.sync_all
salt 'ctl*' state.sls glance.server
To apply the changes, restart the glance-api service:
salt 'ctl*' service.restart glance-api