openstack/openstack-manuals
Code Issues Proposed changes

Correct a policy rule example which reference to nova

Browse Source 
This patch corrects the policy rule example. In nova, the policy
enforcement by user_id isn't supported by servers resource, so correct
it to use project_id. Also in the Nova V2.1 API, the new policy rule
for servers start action prefix with 'os_compute_api:servers'.

Change-Id: Ic6b40e402e253b4a406b77169061736eceaf5102
This commit is contained in:
He Jie Xu 2016-06-06 09:55:47 +08:00
parent 97ab692b21
commit 1e846b0df8
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/config-reference/source/policy-json-file.rst
View File

@ -102,13 +102,13 @@ Rules can compare API attributes to object attributes. For example:
.. code-block:: json
"compute:start" : "user_id:%(user_id)s"
"os_compute_api:servers:start" : "project_id:%(project_id)s"
states that only the owner of an instance can start it up. The
``user_id`` string before the colon is an API attribute, namely the user
ID of the API user. It is compared with the user ID of the object (in
``project_id`` string before the colon is an API attribute, namely the project
ID of the API user. It is compared with the project ID of the object (in
this case, an instance); more precisely, it is compared with the
``user_id`` field of that object in the database. If the two values are
``project_id`` field of that object in the database. If the two values are
equal, permission is granted.
An admin user always has permission to call APIs. This is how