<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.bbscopedstyle3718958813697099
{mso-style-name:bbscopedstyle3718958813697099;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US">I think this would merit a bug report to cinder (and probably Manila also). This would also help if someone else is searching. The fix may well take some time
though.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US">Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt"><b><span style="font-family:Calibri;color:black">From:
</span></b><span style="font-family:Calibri;color:black">"Edmund Rhudy (BLOOMBERG/ 120 PARK)" <erhudy@bloomberg.net><br>
<b>Reply-To: </b>Edmund Rhudy <erhudy@bloomberg.net><br>
<b>Date: </b>Friday, 27 January 2017 at 16:49<br>
<b>To: </b>openstack-operators <openstack-operators@lists.openstack.org>, Tim Bell <Tim.Bell@cern.ch><br>
<b>Subject: </b>Re: [Openstack-operators] Delegating quota management for all projects to a user without the admin role?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-family:"Courier New"">I did some deep excavation and found out that Cinder is specifically the problem here. With "openstack quota show", it contacts both Nova and Cinder for quota information.
Nova returns successfully, Cinder does not, so the whole command fails. Nova policy allows structuring things so that an individual user can manage quota for other users. Cinder, however, is rife with hardcoded checks for admin privileges at the top-level
API. To make things even better, there's a second layer of hardcoded checks below that on the SQLAlchemy API that run the same admin privilege checks _again_.
<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-family:"Courier New"">With appropriate policy overrides set, I can see and manage Nova quotas just fine via novaclient (ignoring Cinder). Unfortunately, we need to be able to manage volume quotas
too, so I'll have to find a different approach (either that or locally patch some pretty big chunks of Cinder code, which strangely enough I'd like to avoid).<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-family:"Courier New"">From: Tim.Bell@cern.ch
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-family:"Courier New"">Subject: Re: [Openstack-operators] Delegating quota management for all projects to a user without the admin role?<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;background:white">
<span class="bbscopedstyle3718958813697099"><span style="font-size:11.0pt;font-family:Calibri;color:black;mso-fareast-language:EN-US">I think you could do something with policy.json to define which operations a given role would have access to. We have used
this to provide the centre operator with abilities such as stop/start. The technical details are described at
<a href="https://openstack-in-production.blogspot.fr/2015/02/delegation-of-roles.html">
https://openstack-in-production.blogspot.fr/2015/02/delegation-of-roles.html</a>.</span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;background:white">
<span style="font-size:11.0pt;font-family:Calibri;color:black;mso-fareast-language:EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;background:white">
<span style="font-size:11.0pt;font-family:Calibri;color:black;mso-fareast-language:EN-US">Tim</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:36.0pt;background:white">
<span style="font-size:11.0pt;font-family:Calibri;color:black;mso-fareast-language:EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<b><span style="font-family:Calibri;color:black">From: </span></b><span style="font-family:Calibri;color:black">"Edmund Rhudy (BLOOMBERG/ 120 PARK)" <erhudy@bloomberg.net><br>
<b>Reply-To: </b>Edmund Rhudy <erhudy@bloomberg.net><br>
<b>Date: </b>Friday, 27 January 2017 at 00:36<br>
<b>To: </b>openstack-operators <openstack-operators@lists.openstack.org><br>
<b>Subject: </b>[Openstack-operators] Delegating quota management for all projects to a user without the admin role?</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="color:black"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">I'm looking for a way to allow a user that does not have the admin role to be able to view and set quota (both Nova/Cinder) for all projects in an OpenStack cluster. For us, the boundary of a Keystone region
is coterminous with an OpenStack cluster - we don't currently use any sort of federated Keystone.
</span><span style="color:black"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">Background: we are involved in a project (not the Keystone variety) for integrating Bloomberg's internal budget processes closely with purchasing compute resources. The idea of this system is that you will
purchase some number of standardized compute units and then you can allocate them to projects in various OpenStack clusters as you wish. In order to do this, the tool needs to be able to see what Keystone projects you have access to, see how much quota that
project has, and modify the quota settings for it appropriately.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">For obvious reasons, I'd like to keep the API access for this tool to a minimum. I know that if all else fails, the goal can be accomplished by giving it admin access, so I'm keeping that in my back pocket,
but I'd like to exhaust all reasonable options first.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">Allowing the tool to see project memberships and get project information is easy. The quota part, however, is not. I'm not sure how to accomplish that delegation, or how to give the tool admin-equivalent access
for a very small subset of the APIs. I'm unfamiliar with Keystone trusts and am not sure it would be appropriate here anyway, because it would seem like I'd need to delegate admin control to the role user in order to allow quota get/set. The only other thing
I can think of, and it seems really off the wall to me, is to:</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">* create a local domain in Keystone</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">* create one user in this local domain per every Keystone project and add it to that project</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">* give this user a special role that allows it to set quotas for its project</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">* set up a massive many-to-one web of trusts where all of these users are delegated back to the tool's account</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">This solution seems very convoluted, and the number of trusts the tool will need to know about is going to grow linearly with the number of projects in Keystone.</span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:72.0pt;background:white">
<span style="font-family:"Courier New";color:black">The clusters in question are all running Liberty, with Keystone v3 available. Keystone is in a single-domain configuration, where the default domain is sourcing users from LDAP and all other information is
stored in SQL.<br>
<br>
Anyone have any thoughts, or am I SOL and just have to give this thing admin access and make sure the creds stay under lock and key?</span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-left:36.0pt;background:white"><span style="font-family:Arial;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>