Add policy support for specific metadata keys

Registered by Abhishek Kekane on 2017-02-21

Presently in nova, users with non-admin role can add, update or delete metadata properties to the instance. Users can add metadata while booting the instance or they can also add, update or delete metadata using server metadata RestFul api's. There is no way to restrict users other than admin role to perform such operations. Oslo.policy allows us to define a rule which can restrict users from specifying certain value to a specific property of a resource but it doesn’t have any rule to check whether a
specific property exists in the target.

For example,
"restricted": "role:admin or not True:HA_Enabled"

By applying above restricted rule to the server metadata APIs, it is possible to restrict users with non-admin role from adding, updating or deleting metadata property ‘HA_Enabled=True’. But this rule will not restrict users from setting value other than True to “HA_Enabled” metadata property.

If above policy is configured for creating metadata for server in nova as,
"os_compute_api:servers:create": "rule:restricted" then,

For admin user:
    $nova meta <instance_uuid> set HA_Enabled=True
    Resp: 200

For normal user:
    $nova meta <instance_uuid> set HA_Enabled=True
    Resp: 403

But If normal user tries to set any other value to HA_Enabled then it will
still satisfy the rule:-

For normal user:
    $nova meta <instance_uuid> set HA_Enabled=<random_value>
    Resp: 200

So what we want is to restrict users from adding, updating or deleting specific metadata properties to the instance.

Blueprint information

Status:
Not started
Approver:
Matt Riedemann
Priority:
Undefined
Drafter:
Abhishek Kekane
Direction:
Needs approval
Assignee:
Abhishek Kekane
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.