[Openstack-operators] Dynamic Policy

Xav Paice xavpaice at gmail.com
Wed Aug 5 22:33:32 UTC 2015

On 06/08/15 04:01, Kris G. Lindgren wrote:
> We ran into this as well.
> What we did is create an external to keystone api, that we expose to our
> end users via a UI.  The api will let user create projects (with a
> specific defined quota) and also add users with the "project admins"  role
> to the project.  Those admins can add/remove users from the project and
> also delete the project.  You can also be a "member", where you have the
> ability to spin up vm's under the project but not add/remove users or
> remove the project.  We also do some other stuff to clean up items in a
> project before its deleted.  We are working to move this functionality out
> of the current external API and into keystone.  I believe we were going to
> look at waffle-haus to add a paste filter to intercept the project create
> calls and do the needful.
We're working on something similar, but haven't rolled it to production
yet.  Is your code available open-source somewhere?  Ours will be once
it's clean-ish and tested properly, but not yet lest we lead someone
into pain and misery.

One of the goals you didn't mention above, but I'm sure you also noted,
was that changing passwords or setting an initial password isn't exactly
clear - we're working on getting a one time link set that an initial
user can be sent to be able to set their own first password.

> We also modified the policy.json files for the services that we care about
> to add the new roles that we created.

Not the easiest task to either get right, or make sure that the files
are distributed around in an HA setting.  But absolutely necessary.

> ____________________________________________
> Kris Lindgren
> Senior Linux Systems Engineer
> GoDaddy, LLC.

More information about the OpenStack-operators mailing list