[keystone] Re: Pike: "Observer" or "read-only" admin access?

Colleen Murphy colleen at gazlene.net
Fri Apr 12 15:49:20 UTC 2019

Hi Ken,

On Thu, Apr 11, 2019, at 15:05, Ken D'Ambrosio wrote:
> Hi, all.  Beginning to roll out a newer-than-what-we-had OpenStack 
> release -- likely to be Pike, "For reasons."  (Which is still *worlds* 
> newer than Juno, where we are.)  And I've been asked if there's such a 
> thing as an account (or ACL) that allows a user to read everything, but 
> write nothing.  Googling, I see mention of such things -- but nothing 
> really firm.  Does it exist?  Is it in Pike (or more recent releases)?  
> If it doesn't exist, is there a graceful way to make it happen, anyway?
> Thanks!
> -Ken

There is currently no read-only role that works out of the box in Pike or even in Stein. It's been a longstanding request and we're working on it:


The problem now is that just creating a role named "reader" in keystone doesn't automatically fix the problem, we need to coordinate with every project to redefine their default policies to use the reader role instead of using a catch-all member/Member/__member__ role. In the mean time, you can modify the policies of the services you run  to limit write operations to non-reader roles:


Hope this helps.


More information about the openstack-discuss mailing list