Add policy support for specific metadata keys
Presently in nova, users with non-admin role can add, update or delete metadata properties to the instance. Users can add metadata while booting the instance or they can also add, update or delete metadata using server metadata RestFul api's. There is no way to restrict users other than admin role to perform such operations. Oslo.policy allows us to define a rule which can restrict users from specifying certain value to a specific property of a resource but it doesn’t have any rule to check whether a
specific property exists in the target.
For example,
"restricted": "role:admin or not True:HA_Enabled"
By applying above restricted rule to the server metadata APIs, it is possible to restrict users with non-admin role from adding, updating or deleting metadata property ‘HA_Enabled=True’. But this rule will not restrict users from setting value other than True to “HA_Enabled” metadata property.
If above policy is configured for creating metadata for server in nova as,
"os_compute_
For admin user:
$nova meta <instance_uuid> set HA_Enabled=True
Resp: 200
For normal user:
$nova meta <instance_uuid> set HA_Enabled=True
Resp: 403
But If normal user tries to set any other value to HA_Enabled then it will
still satisfy the rule:-
For normal user:
$nova meta <instance_uuid> set HA_Enabled=
Resp: 200
So what we want is to restrict users from adding, updating or deleting specific metadata properties to the instance.
Blueprint information
- Status:
- Not started
- Approver:
- Matt Riedemann
- Priority:
- Undefined
- Drafter:
- Abhishek Kekane
- Direction:
- Needs approval
- Assignee:
- Abhishek Kekane
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Policy support for specific metadata keys