[cinder] Implementing a read-only administrator with the default reader role and system scope

Miguel Lavalle miguel at mlavalle.com
Mon Sep 23 15:48:55 UTC 2019


Dear Cinder,

At my employer, Verizon Media, we want to implement a read only
administrator like role using the Keystone default reader role scoped at
system level. In the case of Nova, we've been following with interest their
efforts here:
https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh+(status:open+OR+status:merged).
I decided to test the same approach with Cinder. The good news is that the
policy.py modules are almost the same in Nova and Cinder. I then looked,
though, at some API calls, like
https://docs.openstack.org/api-ref/block-storage/v3/index.html#volumes-volumes.
The url in these calls include project_id, which in the case of a system
scoped token I don't have. My questions are:

1) Am I missing something?
2) Are there any plans to implement a revision to these APIs in the near
future so we can leverage the system scope and roles like reader for policy
management?
3) One short term alternative in my case is to add "wrappers" to those API
calls where we want to enable the reader role with system scope, extract
the project_id from the context and forward the call to the regular API.
Does this make sense? Are there any caveats to this?

Best regards

Miguel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190923/efe4de29/attachment.html>


More information about the openstack-discuss mailing list