[Openstack] 'admin' role hard-coded in keystone and nova, and policy.json
Dolph Mathews
dolph.mathews at gmail.com
Fri May 11 01:10:26 UTC 2012
policy.json is entirely end-user configurable (it's not hardcoded at all):
replace every instance of "role:admin" in your policy.json (there's two by
default in nova's policy.json, for example) with "role:myadmin", create the
corresponding "myadmin" role in keystone, and grant it to the appropriate
users instead of "admin".
You can also have multiple roles with admin-like behaviors (see nova's
admin_or_owner as an example), or roles with very limited sets of
capabilities, e.g.:
"volume:create": [["role:custom_role_that_can_only_create_volumes"]]
-Dolph
On Thu, May 10, 2012 at 4:32 PM, Salman A Baset <sabaset at us.ibm.com> wrote:
> It seems that 'admin' role is hard-coded cross nova and horizon. As a
> result if I want to define 'myadmin' role, and grant it all the admin
> privileges, it does not seem possible. Is this a recognized limitation?
>
> Further, is there some good documentation on policy.json for nova,
> keystone, and glance?
>
> Thanks.
>
> Best Regards,
>
> Salman A. Baset
> Research Staff Member, IBM T. J. Watson Research Center
> Tel: +1-914-784-6248
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120510/1b921d1e/attachment.html>
More information about the Openstack
mailing list